Yes, the Personal Data Protection Act B.E. 2562 (2019) ("PDPA") prescribes rules and requirements that must be met for the cross-border transfer of personal data outside Thailand. According to Section 28 and 29 of the PDPA, cross-border transfer of personal data is restricted unless one of the following grounds can be relied on:

• Adequacy of the destination country's data protection standard, where the transfer of data is carried out in accordance with the criteria for personal data protection to be prescribed by the Personal Data Protection Committee
• Legal exceptions for cross-border transfer apply in the following circumstances:

  - It is for legal compliance.

  - Consent has been obtained from the data subject, where the data subject has been informed of the inadequate personal data protection standards of the destination country.

  - It is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into such contract.

  - It is for compliance with a contract between the data controller and other persons or legal entities for the interests of the data subject.

  - It is to prevent danger to the life, body or health of the data subject or another person, when the data subject is incapable of giving the consent at such time.

  - It is necessary for carrying out activities of substantial public interest.

• Privacy policy for cross-border transfer to recipients in the same group of undertakings or group of businesses (binding corporate rules)
• Where there are appropriate safeguards (e.g., standard contractual clauses)