PDPC Has Published Regulations on the Certification of Binding Corporate Rules 個人資料保護委員會發布企業約束性規則認證相關規則
- Kit Amatyakul
- 5天前
- 讀畢需時 5 分鐘
On 29 September 2025, the Office of the Personal Data Protection Committee in Thailand (PDPC Office) issued Regulations on the Review and Certification of Binding Corporate Rules B.E. 2568 (2025) (“Regulations”) establishing guidelines for the submission, consideration, examination, certification, and supervision of Personal Data Protection Policies that apply within the same affiliated business or group of undertakings (“Binding Corporate Rules,” or “BCRs”). The new Regulations apply to transfer of personal data from Thailand by data exporters located in Thailand to data recipients located abroad, but within the same affiliated business or group of undertakings, whether or not the PDPC has ruled the destination country has adequate personal data protection standards.
泰國個人資料保護委員會辦公室(PDPC Office)於2025年9月29日發布《佛曆2568年(2025) 企業約束性規則之審查與認證規則(“規則”),以制定適用於同一關係企業或企業集團內之個人資料保護政策(“企業約束性規則”或 “BCRs”)的提交、審查、檢驗、認證及監督指導方針。新規則適用於位於泰國的資料輸出者,將個人資料自泰國傳輸至位於境外但屬於同一關係企業或企業集團內的資料接收者之情形,無論PDPC是否已認定該資料接收國具備充分的個人資料保護標準,皆受本規則之規範。
In conjunction with this development, the PDPC Office also approved BCRs for two companies operating in Thailand on 30 September 2025. This movement represents the first concrete progress since the PDPC’s Notification on Criteria for the Protection of Personal Data Sent or Transferred to a Foreign Country pursuant to Section 29 of the Personal Data Protection Act B.E. 2566 (2023) (PDPA) came into effect in March 2024.
配合此一發展,PDPC Office亦於2025年9月30日批准兩家在泰國營運之公司的BCRs。此舉為自《依據《佛曆2566年(2023)個人資料保護法》(PDPA)第29條制定之〈將個人資料傳送或轉移至外國之保護標準準則公告〉》於2024年3月生效以來,個人資料保護實務上首度具體的進展。
The Regulations define key terms Section 29 paragraph 2 of the PDPA, wherein “the same affiliated business or group of undertakings” refers to businesses where one entity has control or management authority over another, or is controlled by another entity, in the form of parent companies, subsidiaries, or affiliates. This includes individuals or legal entities that are connected legally or operationally, as determined in accordance with relevant laws and generally accepted accounting standards.
本規則依據PDPA第29條第2款之規定,對關鍵術語作出定義。其中,“同一關係企業或企業集團”係指一方事業對另一事業具有控制權或管理權,或受另一事業控制之情形,包括母公司、子公司或關係企業等。此範圍並包括在法律上或營運上具有關聯之自然人或法人,其關係之認定應依相關法律及一般公認之會計準則判斷。
The Regulations govern both types of BCR:
本規則適用於兩種類型的BCR:
1. Policy for Personal Data Controllers (BCR for Controllers or BCR-C); and
個人資料控制者政策(BCR-C);以及
2. Policy for Personal Data Processors (BCR for Processors or BCR-P)
個人資料處理者政策(BCR-P)
The PDPC Office encourages multinational companies with both data controller and data processor roles to consider separate or hybrid applications, depending on their group structure.
PDPC Office鼓勵同時擔任資料控制者與資料處理者角色的跨國公司,根據其集團架構,考慮採取分開申請或混合申請的方式。
Applicants are required to prepare and submit their applications and supporting documents in Thai language. If supporting documents are in foreign language, certified Thai translation should be provided. The translation must be notarized by notary public or qualified person. Supporting documents may include, among others, a binding instrument such as an intra-group agreement, or a list of entities subject to the BCRs.
申請人須以泰文準備並提交申請書及相關支持文件。若佐證文件為外文,應附具經公證人或具資格之人士認證之泰文譯本。佐證文件可包括但不限於具法律拘束力之文件,例如集團內協議,或BCRs規範之實體名單等。
The PDPC Office has emphasized that the completeness and clarity of the Thai translation will directly affect the review timeline, so applicants should ensure consistency between the English and Thai versions.
PDPC Office強調,泰文翻譯的完整性與明確度將直接影響審查時程,因此申請人應確保英文與泰文版本內容一致。
For the certification of the BCRs, the PDPC Office will consider the following key matters:
在認證BCRs時, PDPC Office將審查以下主要事項:
1. Legal binding: The BCRs must demonstrate appropriate mechanism establishing legal enforceability both within and outside the corporate group.
法律拘束力:BCRs 必須具備適當機制,以確保其在企業集團內外均具有法律上可強制執行之效力。
2. Cooperation: Members must cooperate with the PDPC Office and comply with legal requirements. Additional provision on the data processor’s obligation to cooperate with and assist the data controller in complying with applicable laws should be included for BCR-P.
合作義務:集團成員須與PDPC Office合作,並遵守法律規定。若屬於BCR-P,應另行規定資料處理者有義務與資料控制者合作並協助其遵守相關法律。
3. Enforceability: The BCRs must demonstrate an appropriate and verifiable mechanism to ensure that they are actually implemented and complied with.
可執行性:BCRs 必須具備適當且可驗證之機制,以確保其能實際執行並獲得遵守。
4. Data subject rights: The BCRs must ensure data subjects can exercise their rights and lodge complaints.
資料主體權利:BCRs 必須確保資料主體得以行使其權利並提出申訴。
5. Personal data protection measures: The BCRs must appropriately demonstrate the personal data protection principles under the applicable law which must at least consist of the fundamental principles of personal data protection and appropriate security measures.
個人資料保護措施:BCRs 必須適當展現依據適用法律所要求之個人資料保護原則,其內容至少應包括基本之個人資料保護原則及適當之安全措施。
The timeframe for an application will take approximately 180 days from the date of receiving correct and complete documents, but this may vary depending on the complexity of the organizational structure, the nature of the data, and the completeness of the submitted documents. There is no government fee for the BCR certification under the Regulations.
申請案件之審理時程,自收到正確且完整之文件之日起約需180日,惟實際時間可能因組織結構之複雜程度、資料性質及提交文件之完整性而有所不同。依本規則, BCR之認證不收取任何政府規費。
However, applicants may incur translation, notarization, or professional advisory costs during preparation, which are not covered by the PDPC Office.
然而,申請人在準備過程中可能會產生翻譯、公證或專業諮詢等相關費用,該等費用不由PDPC Office負擔。
After the substantive review, the responsible officer will prepare a report with one of the following outcomes:
在完成實質審查後,主管官員應編製報告,並載明下列其中之一之結果:
1. Certification granted: the PDPC will issue a certificate.
核准認證:由PDPC核發認證證書。
2. Conditional certification: the policy is substantially compliant but requires certain amendments or actions to be completed within a specified period before full certification.
附條件認證:該政策基本符合規定,但須於指定期限內完成特定修正或措施,方可取得正式認證。
3. Certification denied.
駁回認證:不予核准。
留言