Thailand: Implemented rules on the criteria for protecting personal data sent or transferred abroad according to Section 29 of PDPA

On 24 March 2024, Thailand’s Personal Data Protection Committee (PDPC) implemented rules regarding the criteria for protecting personal data sent or transferred abroad according to Section 29 of the Personal Data Protection Act (PDPA). The order specifies that entities can transfer personal data to other entities engaging in the same affiliated business or part of the same group of undertakings based on a policy for personal data protection (binding corporate rules) reviewed and certified by the PDPC. In the absence of adequacy decisions or binding corporate rules, the entities would be able to transfer data to foreign countries based on appropriate safeguards, such as contractual clauses, certifications or agreements that Thailand is a party to. Furthermore, it outlines the international model of contractual clauses that Thailand recognises.