Two notifications on the cross-border transfer of personal data, issued by Thailand’s Personal Data Protection Committee (PDPC), came into effect on March 24, 2024. These notifications, which we detailed in a previous update, set out the criteria governing the cross-border transfer of personal data offshore, specifically focusing on situations where appropriate personal data protection standards are in place.
Of particular importance is the role of binding corporate rules (BCRs) in enabling the cross-border transfer of personal data among affiliated businesses or within the same group of undertakings. The implementation of BCRs requires a comprehensive review and approval process by the Office of the PDPC, strictly in accordance with the criteria set out in one of the two notifications.
With the notifications now fully enforceable, the Office of the PDPC has begun accepting BCRs for review. Data controllers and data processors intending to adopt BCRs as a means for transferring data to offshore affiliates or group companies must initiate the BCR submission process promptly. Failure to comply with PDPA requirements concerning the cross-border transfer of personal data could result in substantial penalties.
Organizations involved in cross-border personal data transfers should be proactive in complying with the prescribed criteria to avoid these regulatory penalties and maintain the data protection standards mandated by the PDPA.
For more information on these cross-border personal data transfer regulations, or on any aspect of complying with Thailand’s data protection laws, please contact Nopparat Lalitkomon at nopparat.l@tilleke.com, Gvavalin Mahakunkitchareon at gvavalin.m@tilleke.com, or Wilin Somya at wilin.s@tilleke.com.