Global Data and Cyber Handbook

Thailand

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: January 2025

Yes

"Third country" is not specifically defined under the PDPA, but it should refer to countries outside Thailand.

Transfers of personal data to third countries are permissible only if there is a legal basis for the processing/transfer and one of the following applies:

        approved adequate/whitelisted jurisdictions
        approved standard contractual clauses
        binding corporate rules
        derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims
        other solutions

  • The certification that the collection, use, and disclosure of personal data by data controllers and data processors in the context of cross-border transfer must have appropriate personal data protection measures in accordance with accepted standards and per the rules prescribed by the PDPC.

On 25 December 2023, the two subordinate notifications regarding cross-border transfers of personal data by the PDPC were officially published in the Royal Gazette, namely:

  1. Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 28 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023) ("Whitelist Notification")
  2. Notification of the Personal Data Protection Committee on Criteria for the Protection of Personal Data Sent of Transferred to a Foreign Country pursuant to Section 29 of the Personal Data Protection Act, B.E. 2562 B.E. 2566 (2023) ("BCRs and Appropriate Safeguards Notification")

Both the Whitelist Notification and the BCR and Appropriate Safeguards Notification became effective on 24 March 2024. It is worth noting that the PDPC interprets transfer options differently compared to data protection authorities in other regions. As such, it will be prudent for business operators to reassess which cross-border transfer option is most suitable for their particular circumstances. This may include considering whether any further actions are necessary, such as localizing existing SCCs/BCRs to comply with Thai law requirements.

{{ $store.state.loadingScreen.message }} ...