Thailand Personal Data Protection Laws Update: New PDPC Rules on the Review and Certification of Personal Data Protection Policies Within the Same Affiliated Business or Group of Undertakings, B.E. 2568 (2025)

On September 29, 2025, the Personal Data Protection Committee (PDPC) issued Rules (“Rules”) establishing guidelines for the submission, consideration, examination, certification, and supervision of Personal Data Protection Policies that apply within the same affiliated business or group of undertakings (“Binding Corporate Rules,” or “BCR”). The new Rules apply to transfers of personal data from Thailand by data exporters located in Thailand to data recipients located abroad but within the same affiliated business or group of undertakings, whether or not the Personal Data Protection Committee has ruled the destination country has adequate personal data protection standards.

The Rules govern both types of BCR:

1. Policy for Personal Data Controllers (BCR for Controllers or BCR-C); and
2. Policy for Personal Data Processors (BCR for Processors or BCR-P)

The Rules define key terms in Article 29 paragraph 2 of the Personal Data Protection Act B.E. 2562 (PDPA), wherein “the same affiliated business or group of undertakings” refers to businesses where one entity has control or management authority over another, or is controlled by another entity, in the form of parent companies, subsidiaries, or affiliates. This includes individuals or legal entities that are connected legally or operationally, as determined in accordance with relevant laws and generally accepted accounting standards.

A key qualification in Article 7 of the Rules states that the applicant must be a member of the same affiliated business or group of undertakings (i.e., an entity within the same affiliated business or group of undertakings that agrees to be bound by the BCR) established under Thai law and must have a place of business in Thailand. Whether or not the applicant is established under Thai law and has a place of business in Thailand, the PDPC shall consider one of the following characteristics: 

• Whether the applicant is the headquarters of the same affiliated business or group of undertakings in Thailand, or
• If the same affiliated business or group of undertakings does not have a headquarters in Thailand, the applicant must be a designated member responsible for personal data protection in Thailand. 

The legal entity that applies for review and certification must be the same as the one designated in the BCR as the Liable BCR Member.

Article 8 of the Rules requires applicants to prepare and submit their applications and supporting documents in the Thai language. If supporting documents are in a foreign language, a Thai translation is recommended for efficiency and compliance with administrative law.

If the BCR already have been reviewed and certified under the personal data protection laws of the following jurisdictions, the applicant may apply for review and certification through a special process (Article 11), which may result in reduced processing time:

• The European Union [Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)]
• The United Kingdom (UK GDPR)
• Other countries announced by the PDPC under Section 28 of the Personal Data Protection Act B.E. 2562 (however, as of October 2025, no other countries have been announced as having adequate personal data protection standards under Section 28 of the Personal Data Protection Act B.E. 2562).

Currently, applications may be submitted in person at the PDPC office, by mail, or by email (Article 9). Additional channels may be permitted by the PDPC Office in the future. Upon receipt of an application, the PDPC will conduct a form check within 15 days. If the application is incorrect or incomplete, the PDPC will instruct the applicant to make corrections or provide additional documents within a specified timeframe (Article 13).

The substantive review of the BCR will take approximately 180 days from the date all supporting documents are complete and correct (Article 16). This period may be extended for organizations with complex structures. After the substantive review, the responsible officer (Case Officer) will prepare a report with one of the following outcomes (Article 15):

(1)    Certification granted: the PDPC will issue a certificate.
(2)    Conditional certification: the policy is substantially compliant but requires certain amendments or actions to be completed within a specified period before full certification.
(3)    Certification denied.

Conditional certifications and denials are appealable under Article 18.

Once issued, a certification of BCR Approval has no expiration date and remains valid unless subsequently amended or revoked by the PDPC (Article 17).

There is no government fee for the application (Article 19). This regulation does not affect applications for review and certification of BCR submitted before this regulation was announced (Article 20).

This is intended merely to provide a regulatory overview and not to be comprehensive, nor to provide legal advice. Should you have any questions on this matter, please do not hesitate to contact our Personal Data Protection team at pdpa_bkk@eml.nishimura.com and our team would be pleased to assist.

Authors