+44 (0) 121 582 0192 [email protected]


As of 25 December 2023, Thailand’s strides towards robust personal data protection continued with the release of pivotal subordinate regulations under the Personal Data Protection Act B.E. 2562 (2019) (PDPA). Published in the Government Gazette, these regulations, set to come into force on 24 March 2024, introduce significant changes to the cross-border transfer of personal data. Businesses operating within and with Thailand will need to pay close attention to these changes to ensure compliance and secure data management.


Understanding the New Regulations

The new frameworks introduced are twofold: the Whitelist Notification and the Binding Corporate Rules (BCRs) and Appropriate Safeguards Notification. These are designed to provide clarity and enhance the security protocols surrounding the international transfer of personal data.


1. Whitelist Notification

The Whitelist Notification outlines countries that have been deemed to possess adequate data protection laws, thereby facilitating smoother data transfers to these regions. This list is a critical resource for businesses as it simplifies compliance checks before data is transferred internationally. Knowing which countries are on this whitelist allows businesses to plan their data flows more efficiently and with reduced legal overhead.


2. BCRs and Appropriate Safeguards Notification

The second notification focuses on Binding Corporate Rules and other appropriate safeguards like standard contractual clauses (SCCs), certifications, and binding agreements between Thai and foreign governmental agencies. This framework is particularly crucial for multinational corporations as it enables them to establish a consistent level of data protection across their operations while complying with the PDPA.


Strategic Implications for Businesses

With these regulations, the PDPC demonstrates its commitment to align Thailand’s data protection standards with global practices. However, this alignment brings a set of strategic implications for businesses:

  • Compliance Review: Businesses must review their current data transfer mechanisms to ensure they align with the new requirements. This includes assessing existing BCRs and contractual safeguards against the stipulated criteria.
  • Legal and Operational Adjustments: Companies may need to renegotiate contracts or revise internal policies to comply with the new standards, particularly if they rely heavily on data transfers to countries not listed in the Whitelist Notification.
  • Enhanced Data Security: Adopting the new BCRs and safeguard measures will likely enhance overall data security practices, benefitting both the businesses and their clients by reducing the risk of data breaches and enhancing trust.


Preparing for March 2024

The period leading up to March 2024 is crucial for businesses to adapt to these changes. Companies should take proactive steps to:

  • Conduct a Data Flow Audit: Understanding where and how personal data is transferred internationally is the first step in compliance.
  • Engage with Legal Experts: Consulting with data protection experts can provide insights specific to your business context, especially in interpreting how the new rules apply to your operations.
  • Update Training Programs: Employees should be educated about the new regulations and compliance requirements to mitigate any risk of inadvertent breaches.



Thailand’s updated PDPA cross-border transfer rules reflect its evolving data protection landscape, aligning more closely with international standards. For businesses, these changes are not just about compliance; they represent an opportunity to strengthen trust with customers and partners through robust data management practices. By understanding and adapting to these regulations, businesses can ensure smoother, more secure international data transfers, setting a standard for data privacy and security in the region.