a glowing, encrypted data stream connecting a sleek tech startup office in Bangkok to a luminous global server hub across an abstract world map
PS Law and Business Logo
Business in Thailand 02 Jul 2026

Introduction

In this article, you will learn how Thailand's newly activated Binding Corporate Rules (BCRs) impact cross-border data transfers for tech startups and multinational companies. We will break down the legal risks of syncing data to overseas servers, explore the newly formalized Personal Data Protection Committee (PDPC) certification process, and provide actionable steps to ensure your business in Thailand remains fully compliant with the Personal Data Protection Act (PDPA).

The Cross-Border Data Trap for Cloud-First Startups

Modern tech startups and e-commerce platforms rarely localize all their data within Thailand. It is common practice to utilize global cloud infrastructure like AWS or Google Cloud, or to sync databases seamlessly with an overseas headquarters and foreign investors. While pure data transit or overseas storage—where no third party can access the data—may be exempt from transfer restrictions, actively syncing or sharing personal data across your corporate group triggers strict compliance requirements under Section 29 of the PDPA.

Founders often assume that because they own the servers in Singapore or the US, the data transfer is inherently lawful. However, transferring personal data intra-group without verified safeguards is a direct violation of the PDPA, exposing companies to administrative fines of up to THB 5 million per offense.

Understanding Thailand's Brand-New BCR Framework

On February 17, 2026, a major regulatory framework was published in the Government Gazette: the Regulation on the Examination and Certification of Binding Corporate Rules within the Same Affiliated Business or the Same Group of Undertakings B.E. 2568 (2025). This officially activated the formal certification mechanism for BCRs in Thailand.

BCRs are comprehensive, legally binding internal privacy policies that allow multinational corporate groups to lawfully transfer personal data among their entities across different jurisdictions. They serve as a highly effective, regulator-endorsed alternative to signing separate data transfer agreements for every single data flow.

Key Requirements for BCR Certification

To obtain BCR certification from the Office of the PDPC, your startup must satisfy several critical elements:

  • Local Presence: The applicant must be a legally established, Thai-incorporated entity with a physical presence in the country to act as the liable BCR member. For those in the early stages, ensuring proper company foundation is the first necessary step.
  • Legally Binding Effect: The rules must be mutually binding on all participating entities, enforcing uniform data protection standards that align with the PDPA.
  • Data Subject Rights: The BCR must establish clear mechanisms for handling complaints and ensuring individuals can exercise their privacy rights across borders.
  • Cooperation Obligations: Group entities must agree to submit to PDPC examinations and comply with regulatory orders.

The EU/UK Fast-Track Process

If your startup's overseas headquarters already has BCRs approved under the EU GDPR or UK GDPR, Thailand offers a streamlined approach. Instead of starting from scratch, applicants can submit their existing approved documentation alongside a "Thai-specific BCR addendum". This addendum addresses mandatory local requirements, such as designating the Thai liable entity and acknowledging PDPC oversight.

BCRs vs. Standard Contractual Clauses (SCCs)

If undergoing a formal certification process seems too heavy for a lean startup, the PDPC also permits the use of Appropriate Safeguards, such as Standard Contractual Clauses (SCCs). Here is a quick comparison to help guide your internal due diligence:

FeatureBinding Corporate Rules (BCRs)Standard Contractual Clauses (SCCs)
Best ForLarge corporate groups with frequent, complex intra-group transfers.Lean startups or bilateral transfers to external third-party vendors.
Approval RequirementRequires formal review and certification by the PDPC.No prior approval needed; implemented directly between parties.
FlexibilityHigh. One group-wide policy covers all entities.Low. Requires individual contracts for every single data transfer path.

FAQ

  • Does using an overseas cloud server automatically violate the PDPA?
    Not necessarily. If data is merely stored overseas and strictly protected so that no third party can access it, it may fall outside the definition of a cross-border transfer. However, active intra-group syncing requires compliance safeguards.
  • What are the penalties for unlawful cross-border data transfers in Thailand?
    Non-compliance can result in severe administrative fines of up to THB 5 million per offense.
  • How long does the BCR certification process take with the PDPC?
    Once a complete application is filed, the PDPC is mandated to issue its decision within 180 days.

Further Reading

Legal Blog

Business in Thailand

A sleek, modern business office in a high-rise building in Bangkok, with a diverse group of professionals (Thai and foreign) collaborating around a conference table.
PS Law and Business
PS Law & Business 16 Jun 2024
Can a foreigner hold 100% share in Thailand

Thinking of starting a business in Thailand? Understanding foreign ownership rules is key. Generally, Thai law limits foreign shareholding, but exceptions exist.

Read More
While often discussed together, the Foreign Business License (FBL) and Foreign Business Certificate (FBC) in Thailand have distinct purposes and application procedures. Here's a breakdown of the key differences.
PS Law and Business
PS Law & Business 17 May 2024
Thailand Foreign Business License vs. Certificate (FBL & FBC) Explained

Confused about the Foreign Business License (FBL) and Foreign Business Certificate (FBC) in Thailand? Learn the key differences, requirements, and which permit your foreign-owned business needs to operate legally. Contact PS Law for a consultation.

Read More
A professional and modern graphic that visually represents the concept of international business in Thailand
PS Law and Business
PS Law & Business 30 Jun 2025
What is the Foreign Business Act (FBA)?

Navigating the legal landscape is crucial for any foreigner looking to establish a business in the vibrant Thai market. This guide delves into the Foreign Business Act (FBA), a key piece of legislation governing foreign participation in the Thai economy.

Read More

Book an appointment

Why choose PS Law & Business Services?

Client-Focused Approach

We tailor our legal strategies to meet your specific needs and goals.

Transparent Communication

We keep you informed and involved throughout the legal process.

Cost-Effective Solutions

We offer competitive rates and transparent billing practices.

Proven Results

We have a strong track record of success in achieving favorable outcomes for our clients.

Multilingual support

Our experienced attorneys are fluent in English and Thai.

Ask for a quotation

Contact us



This site is protected by reCAPTCHA and Google Privacy Policy and Terms of Service apply.