This legal brief provides a summary of the key principles and provisions of the Personal Data Protection Committee (“PDPC”) of Thailand’s Regulation on Verification and Certification of Binding Corporate Rules B.E. 2568 (A.D. 2025) dated 29th September 2025 (“BCR Regulation”).
1. General Provisions, Scope, and Definitions
The BCR Regulation establishes the guidelines for verifying and certifying the Binding Corporate Rules (“BCR”), which serves as a mechanism for cross-border data transfers under Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”). The BCR Regulation applies to the BCR for Controllers (“BCR-C”), where members transfer and process data as controllers, and the BCR for Processors (“BCR-P”), where members process data on behalf of external controllers (Clause 2 of the BCR Regulation).
The BCR Regulation includes the Liable BCR Member, which refers to a group member established in Thailand who explicitly agrees to accept liability and pay compensation for violations committed by members outside Thailand. This is to ensure that data subjects in Thailand have an effective channel for complaints and legal remedies within Thailand. Additionally, third-party beneficiary rights must be explicitly defined, allowing data subjects to enforce their rights under the BCR directly against members as if they were parties to the agreement (Clause 2 of the BCR Regulation).
2. Applicant Qualifications and Submission Channels
The applicant must be a member of the same affiliated business or group of undertakings and must be established under Thai law with a physical presence in Thailand. The applicant can be either the headquarters of the group in Thailand or a member assigned responsibility for personal data protection within Thailand if no headquarters exists. Submission of the application can be made directly to the Office of the Personal Data Protection Committee (“OPDPC”), via post, email, or through other channels designated by the OPDPC (Clauses 7 and 9 of the BCR Regulation).
3. Required Documentation
Applications and supporting documents must be in Thai. If the original documents are in a foreign language, a certified and notarized Thai translation must be provided. The required documents include:
(1) the application form specifying the BCR type (BCR-C or BCR-P);
(2) the complete BCR documents including all appendices and a list of bound members;
(3) a binding instrument, such as an Intra-Group Agreement (IGA);
(4) a referential checklist cross-referencing the regulation’s requirements with the BCR content to speed up the review (optional); and
(5) other additional documents (e.g., personal data protection policy, training documents), company affidavit, and power of attorney (if applicable) (Clause 8 of the BCR Regulation).
4. Special Process for Recognized BCRs
The BCR Regulation provides special process for BCRs already approved under the EU GDPR, the UK GDPR, or data protection laws of other countries recognized by the PDPC. In these cases, the applicant may submit proof of the foreign certification and the approved BCR text, accompanied by a Thailand BCR Addendum that contains specific provisions for Thailand, which includes at least the followings:
(1) identification of the Liable BCR Member in Thailand;
(2) confirmation of third-party beneficiary rights for Thailand data subjects;
(3) acceptance of the OPDPC’s supervisory power and Thai court jurisdiction; and
(4) clarifications to ensure consistency with the PDPA (Clause 11 of the BCR Regulation).
5. Key Elements and Evaluation Principles
For certification, the OPDPC evaluates the BCR based on several core principles including legal effect and binding nature, effective enforcement, duty to cooperate, provisions guaranteeing personal data protection, personal data protection measures, and accountability and other supporting mechanisms (Clause 12 of the BCR Regulation).
6. Review Timeline and Outcomes
Upon receipt, the OPDPC performs an administrative check within 15 days. If complete, a case officer conducts a detailed substantive review, which must be completed within 180 days (extendable for necessary reasons) (Clauses 13 and 16 of the BCR Regulation). The review results in one of three outcomes:
(1) Certified: The BCR fully meets criteria.
(2) Conditionally Certified: The BCR requires minor amendments within a set timeframe.
(3) Not Certified: The BCR does not meet the criteria (Clause 15 of the BCR Regulation).
7. Validity, Appeals, and Fees
Validity: Once certified, the BCR is valid indefinitely until amended or revoked (Clause 17 of the BCR Regulation).
Appeals: The applicants can appeal a rejection or conditional certification under administrative law procedures (Clause 18 of the BCR Regulation).
Fees: There are no fees or service charges for processing applications (Clause 19 of the BCR Regulation).
LawPlus Ltd.
January 2026
To see the archive of our past newsletters and articles please click here.
AUTHOR
Senior Partner | bangkok
Partner | bangkok
Associate | bangkok
The information provided in this document is general in nature and may not apply to any specific situation. Specific advice should be sought before taking any action based on the information provided. Under no circumstances shall LawPlus Ltd. and LawPlus Myanmar Ltd. or any of their directors, partners and lawyers be liable for any direct or indirect, incidental or consequential loss or damage that results from the use of or the reliance upon the information contained in this document. Copyright © 2016 to 2020 LawPlus Ltd.
