Introduction
The Regulation of the Office of the Personal Data Protection Committee on the Examination and Certification of Binding Corporate Rules within the Same Affiliated Business or the Same Group of Undertakings B.E. 2568 (2025) (“New Regulation“), which was published in the Government Gazette on 17 February 2026, took effect from the date of its publication. The New Regulation sets out the procedure, criteria, and requirement for submitting an application for the examination and certification of binding corporate rules (“BCR“) to the Office of the Personal Data Protection Committee (“PDPC“) in Thailand.
Scope of Enforcement
With reference to the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”) and the Notification of the PDPC on criteria for the protection of personal data sent or transferred to a foreign country pursuant to section 29 of the PDPA B.E. 2566 (2023) (“Notification”), the New Regulation sets out the framework guiding PDPC in considering the application, review, examination and certification, and regulation of BCR relating to the transfer of personal data to recipients in another country that are within the same affiliated business or group of undertakings for purposes of internal business operations. The New Regulation also serves as a guideline for entities wishing to submit applications for the PDPC’s review and certification of their BCR, with the aim of ensuring compliance with the PDPA and the Notification.
Basic Principles and Key Elements of BCR
BCR under the New Regulation can be categorised into two: (i) BCR for data controllers; and (ii) BCR for data processors (“BCR-P“).
Under the New Regulation, BCR refer to rules or agreements on personal data protection that are mutually agreed upon and binding on both the senders or transferors of personal data and the recipients. This purpose of such BCR is to establish appropriate data protection standards within a business group, in accordance with section 29 of the PDPA and the Notification.
The key elements of the BCR are as follows:
- The enforcement and validation by law: BCR must establish a personal data protection policy that is appropriate, effective, and legally binding and enforceable across a group of undertakings or the same business group.
- Effective enforcement: BCR must provide appropriate and effective mechanisms for the examination and monitoring of BCR compliance.
Obligation to cooperate: BCR must include an undertaking by all members covered by the BCR agree to cooperate with PDPC in the performance of its duties, including agreeing to submit to examinations by PDPC, and comply with any recommendations and orders that PDPC may issue in relation to the BCR. As for BCR-P, it shall stipulate the obligations to cooperate with the data controller, which is a third party, and provide any support in respect of compliance with the law.
- Requirements ensuring the protection of personal data: BCR must provide mechanisms to ensure that the rights of the personal data owner (data subject) are protected, and that claim procedures in respect of personal data sent or transferred to the same business group in other countries, are in place.
- Personal data protection measures: BCR must set out appropriate and legally-compliant personal data protection principles. These must at least include the basic principles of personal data protection and security measures that comply with the minimum standard prescribed by law.
- Accountability and other supporting mechanisms: BCR should include mechanisms to support accountability, such as requirements for records of processing activities and conducting risks assessments.
Application for Examination and Certification of BCR
- Requirements in relation to an applicant: The applicant must be incorporated under Thai law and (i) a headquartered entity of the business group in Thailand; or (ii) in case of an entity’s headquarter not being located in Thailand, a BCR member responsible for personal data protection in Thailand.
- Special procedure for BCR certified by other authorities: If the BCR have already been examined and certified under Regulation (EU) 2016/679 of the European Parliament and of the Council or the United Kingdom General Data Protection Regulation (“GDPR“), the applicant may, for the sake of efficiency, submit such certified BCR to PDPC together with other documents required under the New Regulation.
- Government Fee: No government fee is payable for the examination and certification of BCR.
PDPC’s Consideration of the Application
PDPC may consider and decide on an application for approval of BCR within 180 days from the date of filing. Where the applicant disagrees with the PDPC’s decision, the applicant has the right to appeal against the decision in accordance with laws.
Key Takeaways for Applicants
Applicants for the certification of BCR must ensure that they are clearly drafted, legally binding, and applied consistently across all entities within the corporate group. The BCR must comply with the PDPA and clearly define governance arrangements, roles and responsibilities, and cooperation obligations within the group members.
Applicants must also show that appropriate personal data protection and security measures are in place, supported by binding intra‑group arrangements.
The certification of BCR is granted following review by the PDPC and, once certified, will apply across all group entities, including for cross‑border personal data transfers. Once BCR are certified, they remain effective on an indefinite basis, unless and until the BCR are amended, modified, or revoked.
If you have any queries or need clarifications on the above, please contact our team.
Contribution Note
This Legal Update is contributed by the listed Contact Partners, with the assistance of Itthiwut Saengratanadej (Senior Associate, Rajah & Tann (Thailand) Limited) and Prapavarin Aphaivongs (Associate, Rajah & Tann (Thailand) Limited).
Disclaimer
Rajah & Tann Asia is a network of member firms with local legal practices in Cambodia, Indonesia, Lao PDR, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam. Our Asian network also includes our regional office in China as well as regional desks focused on Brunei, Japan and South Asia. Member firms are independently constituted and regulated in accordance with relevant local requirements.
The contents of this publication are owned by Rajah & Tann Asia together with each of its member firms and are subject to all relevant protection (including but not limited to copyright protection) under the laws of each of the countries where the member firm operates and, through international treaties, other countries. No part of this publication may be reproduced, licensed, sold, published, transmitted, modified, adapted, publicly displayed, broadcast (including storage in any medium by electronic means whether or not transiently for any purpose save as permitted herein) without the prior written permission of Rajah & Tann Asia or its respective member firms.
Please note also that whilst the information in this publication is correct to the best of our knowledge and belief at the time of writing, it is only intended to provide a general guide to the subject matter and should not be treated as legal advice or a substitute for specific professional advice for any particular course of action as such information may not suit your specific business and operational requirements. You should seek legal advice for your specific situation. In addition, the information in this publication does not create any relationship, whether legally binding or otherwise. Rajah & Tann Asia and its member firms do not accept, and fully disclaim, responsibility for any loss or damage which may result from accessing or relying on the information in this publication.
