Cross-Border Transfer of Personal Data

THANATHIP & PARTNERS

We use cookies, including third party cookies, to personalise and optimise your experience when exploring our website. For more detailed information about our cookies, please refer to cookies section in our privacy notice .
If you agree to the use of cookies, please click “Accept”. To manage your cookies settings, please click “Cookies Settings”.

	Cookies Settings
	Necessary cookies These cookies are essential for the operation of our website. Without these cookies, our website cannot function properly and you may not be able to browse the website effectively. You may change your browser settings to disable these cookies, but it may affect your access or use of the website.
	Analytics cookies These cookies collect information about visitor to our website, particularly with regard to data relating to user’s device, browser, IP address and browsing behavior. This enables us to measure user interactions and volume and nature of traffic to our website in order to improve the performance of our website, as well as record and resolve any difficulties that you may have from the use of our website. In this connection, we use Google Analytics services provided by [Google LLC and its affiliates] for this purpose.

January 2024

By Nat Boonjunwetvat, Punnapa Vorapanyasakul, Kunrisa Mektrakarn

Introduction
On 25 December 2023, the Personal Data Protection Commission (the “PDPC”) issued two notifications relating to cross-border transfer of personal data, namely:

Notification of the PDPC Re: Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 28 of the PDPA (the "Section 28 Notification”); and
Notification of the PDPC Re: Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country Pursuant to Section 29 of the PDPA (the "Section 29 Notification”).

Coming into effect on 24 March 2024, the notifications aim at providing clarity on standards and criteria for cross-border transfer restrictions under Sections 28 and 29 of the Personal Data Protection Act B.E. 2562 (A.D. 2019) (the “PDPA”).

Cross-border transfer
In the event of a cross-border transfer of personal data, Section 28 of the PDPA principally requires that the destination country or international organisation receiving the transferred personal data must have adequate data protection standards, unless other exemptions apply.

The Section 28 Notification further elaborates that such “adequate data protection standards” shall be determined by the destination country or international organisationhaving (i) legal measures or mechanisms which are aligned with Thai personal data protection laws and (ii) agencies or organisations empowered to enforce personal data laws and regulations. In this connection, “whitelist” countries and international organisations remain to be announced by the PDPC for this purpose.

Group transfer
Pursuant to Section 29 of the PDPA and the Section 29 Notification, transfers of personal data outside Thailand within a group of undertakings or enterprises shall be permitted to the extent that:

Binding Corporate Rules (the “BCR”) governing internal rules and policies for data transfers having been established, reviewed and certified by the PDPC; or
Appropriate safeguards having been put in place to enable the enforcement of data subjects’ rights, including effective legal remedial measures. Such safeguards may take various forms, including:
1. Standard Contractual Clauses (SCC) containing the terms and requirements prescribed by PDPC under the Section 29 Notification. Alternatively, the SCC may follow certain overseas models as recognised by the PDPC, namely:
  - ASEAN Model Contractual Clauses for Cross Border Data Flows;
  - Standard Contractual Clauses for the Transfer of Personal Data to Third Countries issued under Articles 46(1), 46(2)(c) and 28(7) of the Regulation (EU) 2016/679 of the European Union (the GDPR) ; or
  - SCCs of other agencies or international organisations as prescribed by the PDPC.
2. Certifications affirming an implementation of appropriate safeguards for cross-border transfer of personal data; and
3. Legally binding and enforceable data transfer documents or agreements governing the transfer of personal data between state agencies in Thailand and other countries.

This document is solely intended to provide an update on recent development in Thailand legislation and is not purported to provide a legal opinion, nor a legal advice to any person.

Implementation of Partnership and Company Registration via DBD Biz Regist

March 2025

Following the implementation of the regulation governing online registration of partnerships and limited companies, the Department of Business Development (the “DBD”) has officially launched the new digital registration system called the DBD Biz Regist on 16 January 2025. As part of the transition towards having the DBD Biz Regist as the sole business registration channel in Thailand by 1 July 2025, the DBD has discontinued its online pre-reservation system for business registration since 3 February 2025 to encourage the use of the DBD Biz Regist instead of a physical system which has long been in use.

New BOI Scheme for Startups

February 2025

On 15 July 2024, the Thailand Board of Investment ("BOI") unveiled a funding scheme under the Competitiveness Enhancement Policy Committee for Target Industries (the “Committee”) (Announcement No. 2/2567 ), aimed at accelerating the growth of high-potential startups. This newly introduced framework supersedes the previous program established under Announcement No. 2/2564 and its subsequent amendment.

Thailand’s Financial Hub Act: Key Provisions and Objectives

February 2025

The Thai Cabinet has recently approved the draft Financial Hub Act (the “Act”), with the aim to establish Thailand as a global hub for financial industries, attracting foreign investment and enhancing employment opportunities for the Thai labour force.