In brief
The Office of the Personal Data Protection Committee (PDPC) has formally approved Binding Corporate Rules (BCRs), confirming that Thailand’s BCR regime is now fully operational in practice. Organizations with existing EU/UK‑approved BCRs may be able to streamline the Thai approval process by adapting their established frameworks to meet PDPA‑specific requirements.
In more detail
This development follows the issuance of the PDPC Regulation on the Examination and Certification of Binding Corporate Rules B.E. 2568 (2025), published in the Royal Gazette on 17 February 2026 [link]. It sets out a structured review and certification process administered by the PDPC, marking Thailand’s first formal mechanism for the approval of BCRs.
Why BCRs matter for multinational groups
BCRs are one of the lawful mechanisms for cross‑border data transfers
Under the PDPA, cross-border transfers of personal data are generally prohibited, unless one of the permitted transfer mechanisms applies, namely:
- Transfer to a destination country with an adequate level of data protection (whitelisted countries)
- Statutory derogations for transfers to non‑whitelisted countries (e.g., compliance with legal obligation, with the data subject's consent, or contractual obligations)
- BCRs for intra‑group international transfers
- Appropriate safeguards, such as Standard Contractual Clauses (SCCs) (including EU SCCs or ASEAN Model Contractual Clauses (MCCs))
While several mechanisms exist, some are not yet practical in Thailand (notably, the PDPC has not issued a list of whitelisted countries).
BCRs are a regulator‑endorsed pathway for intra‑group transfers
BCRs allow multinational groups to adopt uniform privacy standards across group entities, and avoid the need to sign separate SCCs between a Thai entity and each overseas affiliate.
BCRs allow alignment with global data‑protection regimes
With the introduction of BCRs, Thailand aligns with leading data protection jurisdictions (including GDPR countries). Approved BCRs:
- Impose legally binding obligations on all participating group members
- Designate a Thailand-based liable entity responsible for damages arising from non-compliance by overseas affiliates
- Grant Thai data subjects third-party beneficiary rights to enforce the BCR
Who can apply
The applicant must:
- Be part of a qualifying group of undertakings or enterprises under the PDPA
- Be legally established and physically present in Thailand
- Be designated as the Thai liable BCR entity in Thailand
Fast‑track for EU/UK‑approved BCRs
Organizations with existing EU or UK BCR approvals may benefit from an accelerated review process. While Thai regulatory review still applies, applicants can leverage their existing frameworks by:
- Submitting evidence of EU/UK BCR approval and the approved BCR documentation
- Preparing a "Thai‑specific BCR addendum" addressing PDPA‑required elements (e.g., Thai liable BCR entity, PDPC oversight, Thai court jurisdiction, and third-party beneficiary rights)
Key takeaways
We encourage organizations with existing EU or UK BCR approvals to consider leveraging the BCR approval mechanism in Thailand.
- BCRs provide a robust, regulator‑approved framework for cross‑border data transfers within a corporate group in Thailand.
- The approval process requires Thai language submissions and may take approximately six months.
- Alternatively, organizations may explore other transfer solutions, such as intra-group agreements relying on EU SCCs or ASEAN MCCs, which can be implemented without prior PDPC approval.
If you wish to discuss or require further information, please contact our team.
* * * * *
Chanaporn Anurukwongkul, Associate, has contributed to this legal update.