Thailand adopts binding corporate rules for intra-group data transfers

On 17 February 2026, Thailand's Regulation on the Examination and Certification of Binding Corporate Rules within the Same Affiliated Business or the Same Group of Undertakings B.E. 2568 (2025) (“BCR Regulation”) took effect following publication in the Government Gazette. Issued by the Office of the Personal Data Protection Committee (“PDPC”), the BCR Regulation establishes a formal mechanism for organisations to obtain certification of their Binding Corporate Rules, a cross‑border transfer mechanism under Section 29 of the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”), and sets out the procedures, documentary requirements, and assessment criteria for intra‑group transfers of personal data conducted for internal business operations. We summarise the key requirements in more detail below.

What are Binding Corporate Rules?

Binding Corporate Rules (“BCRs”) are legally binding, group-wide data protection policies that allow multinational corporate groups to transfer personal data among their entities in different jurisdictions while ensuring that all participating group entities apply consistent, high standard privacy protections.

BCRs may be used only for intra-group transfers i.e., transfers within the same affiliated business or group of undertakings for internal business operations.

Under the BCR Regulation, BCRs must be mutually binding on all participating entities, including both transferring and receiving entities. The core purpose of such BCRs is to ensure uniform, lawful, and enforceable data protection standards across the group in line with Section 29 of the PDPA.

Application for BCR Certification in Thailand

To apply for BCR certification in Thailand, the applicant must be part of the same affiliated business or group of undertakings and must be a Thai‑incorporated entity with a physical presence in Thailand.

The applicant may be either the group’s Thailand‑based headquarters or, where the headquarters is located overseas, a local group entity designated as responsible for personal data protection in Thailand.

The BCR Regulation recognises two categories:

• BCR for data controllers (“BCR C”), and
• BCR for data processors (“BCR P”).

In terms of timing, once an applicant submits a BCR certification request, the PDPC must issue its decision within 180 days of filing. Once certified, BCRs remain valid indefinitely unless they are subsequently amended, modified or revoked.

What rules apply to BCRs under the BCR Regulation?

For BCR certification, the PDPC evaluates BCRs according to several core principles, including:

• Their legal effect.
• Enforceability.
• Cooperation obligations.
• Data protection standards.
• Security measures.
• Accountability mechanisms.
• Supporting governance structures.

The key elements required for BCR certification are as follows:

1. Legal enforceability and group wide applicability. BCRs must be legally binding on all participating entities and must set out comprehensive personal data protection standards aligned with the PDPA.
2. Effective monitoring and enforcement mechanisms. BCRs must include internal controls such as compliance audits, monitoring procedures, and systems for implementing corrective measures.
3. Co-operation obligations. All BCR members must agree to co-operate with the PDPC during examinations and comply with its directions. For BCR P, this extends to co-operating with the relevant data controller as a third party.
4. Safeguards for data subject rights. BCRs must ensure that data subject rights are respected and include mechanisms for handling complaints, claims, and issues arising from cross border transfers within the group.
5. Data protection and security measures. BCRs must incorporate minimum PDPA compliant safeguards, including appropriate technical and organisational measures and core personal data protection principles.
6. Accountability mechanisms. BCRs must include features supporting accountability, such as record keeping obligations, risk assessments, and other measures required under the PDPA.

Correlation to EU GDPR

Pertinently, groups that already hold BCRs approved under the EU GDPR may submit those BCRs together with supplemental documents required under the BCR Regulation.

This provides a more streamlined pathway that reduces duplication for organisations already certified under the GDPR.

Key takeaways for organisations

To maximise the likelihood of approval for a BCR application, applicant organisations would be well advised to:

• Prepare clear and enforceable BCRs: Draft BCRs that are precise, binding, and consistently applied across all group entities.
• Embed strong safeguards in BCRs: Include robust security measures, compliance controls, and monitoring mechanisms that meet PDPA requirements.
• Leverage existing frameworks: Groups with GDPR‑certified BCRs can benefit from the PDPC’s simplified submission process.

In conclusion, the new BCR Regulation provides a structured and predictable path for legitimising intra‑group cross‑border transfers under the PDPA in Thailand.

With that said, successful certification will depend on meeting the key criteria elaborated upon in the BCR Regulations.

[View source.]