Cross-Border Personal Data Transfers under the PDPA: What Thai Organizations Need to Know Before Sending Data Abroad in 2026

Why cross-border data transfers are an urgent issue for Thai organizations in 2026

In an era where business operations increasingly rely on multinational technology platforms and cloud services, many Thai organizations are transferring personal data outside the country—sometimes without realizing it. Examples include using a SaaS-based CRM with servers located in Singapore, sending HR data to a parent company in Europe, or using an email marketing service provider based in the United States.

Thailand’s Personal Data Protection Act B.E. 2562 (2019) (PDPA) clearly establishes the legal framework for these transfers under Sections 28 and 29, yet many organizations still do not fully understand the requirements. This article summarizes the key obligations and provides a practical checklist to help DPOs, Compliance officers, and legal teams assess and manage risk effectively.

Section 28: The fundamental principle for transferring data overseas

Section 28 of the PDPA provides that a Data Controller may not freely send or transfer personal data to a foreign country unless the destination country or international organization receiving the data has an adequate standard of personal data protection.

Countries with adequate protection standards (Adequacy Decision)

The Personal Data Protection Committee (PDPC) has the authority to announce a list of countries or territories recognized as having personal data protection standards adequate and comparable to those of Thailand. Where data is transferred to those jurisdictions, the Data Controller may proceed without relying on any additional transfer mechanism.

However, to date, the PDPC is still in the process of developing such a list. As a result, most organizations must still rely on other mechanisms permitted by law.

Section 29: Exceptions and alternative mechanisms

Where the destination country does not meet the Adequacy Decision threshold, Section 29 provides six alternative mechanisms that a Data Controller may rely on, as follows:

1. Binding Corporate Rules (BCR)

BCRs are internal personal data protection policies within a corporate group that have been certified by the PDPC or another recognized regulatory authority. They are suitable for multinational companies or business groups that regularly exchange data among affiliated entities.

Advantages: They cover all intra-group transfers and reduce the burden of obtaining consent on a case-by-case basis.

Disadvantages: Drafting and obtaining approval is complex and time-consuming.

2. Standard Contractual Clauses (SCC)

SCCs are standard contractual terms between the data exporter and the overseas data recipient. The PDPC may issue a standard form, or the parties may rely on standard clauses recognized by internationally accepted regulators, such as the EU SCCs.

What to watch for: SCCs are effective only if both parties are genuinely bound by the contract, and the data exporter must verify on an ongoing basis that the recipient complies with the contractual obligations.

3. Explicit consent from the data subject

A Data Controller may transfer data overseas if it has obtained the data subject’s explicit consent in advance, provided the data subject is informed of:

The destination country to which the data will be transferred
The protection standard of that country, which may be lower than Thailand’s
The risks that may arise from such transfer

Important limitation: Consent embedded in general terms of service may not be sufficient, and there must be a mechanism allowing the data subject to withdraw consent.

4. Necessity for the performance of a contract

If the transfer is necessary for the performance of a contract between the Data Controller and the data subject, or to take steps at the data subject’s request prior to entering into a contract, the transfer may proceed without additional consent.

Example: International hotel or airline bookings, where passenger data must be sent to overseas service providers.

5. Public interest or vital interests

This basis may be used where the transfer is necessary for public interest purposes or to protect the vital interests of the data subject, such as transferring health data for emergency medical treatment abroad.

6. Legal claims

Where the transfer is necessary for the establishment, exercise, compliance with, or defense of legal claims.

Special considerations for cloud services

One of the most common practical challenges is the use of cloud services provided by foreign vendors, which raises additional considerations.

Data Residency vs. Data Sovereignty

Many organizations mistakenly assume that selecting “Asia Pacific Region” or “Singapore Region” in a cloud service means the data is not transferred outside Thailand. In practice, however:

Metadata and log files may be processed in other regions
Backup and disaster recovery may replicate data across multiple regions
Support access may allow overseas support teams of the provider to access the data

What needs to be done: Review each cloud provider’s Data Processing Agreement (DPA) and Privacy Policy, and clearly identify where personal data is processed and stored.

Sub-processors and third-party vendors

A Data Processor acting as a cloud service provider often relies on multiple sub-processors, each of which may be located in different countries. The Data Controller is responsible for verifying that these sub-processors also maintain adequate data protection standards.

Operational checklist: Before transferring personal data overseas

DPOs and Compliance teams can use the following checklist as an initial guide.

Step 1: Identify and classify data transfers

Conduct Data Mapping to identify personal data transferred outside Thailand
Identify the destination country for each category of data
Determine whether the transfer is routine or occasional

Step 2: Assess the appropriate mechanism

Check whether the destination country is on the PDPC’s list of jurisdictions with adequate protection
If not, identify the alternative mechanism to rely on (BCR, SCC, Consent, etc.)
Assess the feasibility and appropriateness of each mechanism

Step 3: Prepare documentation and contracts

Draft or review the Data Processing Agreement with the overseas service provider
Record the rationale and mechanism used for each transfer
Update the Records of Processing Activities (ROPA)

Step 4: Inform data subjects

Update the Privacy Notice to cover cross-border data transfers
Specify the destination countries and the protection mechanisms used
Provide convenient channels for data subjects to exercise their rights

Step 5: Monitor and review

Establish a review cycle to monitor compliance by overseas data recipients
Review the list of sub-processors whenever changes occur
Prepare a personal data breach response plan that covers cross-border transfers

Download the full checklist and assess your organization’s compliance status at PDPA Compliance Assessment

Penalties for violating Sections 28–29

Violations of the provisions governing overseas transfers of personal data may result in significant civil and criminal penalties.

Civil penalties

Compensation for damages payable to affected data subjects
In cases of intentional or negligent violation, the court may order punitive damages of up to two times the actual damages

Administrative penalties

Fines of up to THB 3 million for violating the principles governing international data transfers
Where data is transferred without a valid legal basis, fines may reach THB 5 million

Criminal penalties

A Data Controller or complicit executive may face imprisonment of up to 1 year and/or a fine of up to THB 1 million in cases involving sensitive personal data

More important than the monetary penalties is the reputational damage and loss of customer trust, which can be difficult to repair in the short term.

Common scenarios in Thai organizations

Scenario 1: A company uses foreign SaaS HR software

Many organizations use HRIS platforms with servers located in Singapore or the United States. Employee data—including national ID numbers, salary data, and health data—is automatically transferred abroad for processing.

What should be done: Review the DPA with the provider, verify whether SCCs or another adequate mechanism is in place, and update the employee Privacy Notice.

Scenario 2: A company sends customer data to an overseas parent company

Multinational corporate groups often centralize customer databases at overseas headquarters. In such cases, BCRs are often the most suitable solution.

What should be done: Accelerate the development of BCRs with the parent company, or implement SCCs between group companies as an interim measure.

Scenario 3: Using an overseas email marketing platform

Customer email addresses, names, and usage behavior are transferred to the overseas servers of the service provider.

What should be done: Clearly disclose this in the Privacy Notice and Cookie Policy. Assess whether the processing has a valid legal basis or whether additional consent is required.

How to prepare for 2026

The PDPC is likely to issue clearer guidance on cross-border data transfers in 2026. Organizations should prepare as follows:

Short term (within 3 months):

Conduct Data Mapping to identify all cross-border data transfers
Review contracts and DPAs with all overseas service providers
Assess the adequacy of the mechanisms currently in use

Medium term (3–12 months):

Develop or improve the Privacy Notice and Consent Management processes
Implement SCCs or begin the BCR process where appropriate
Train teams involved in cross-border data transfers

Long term (more than 12 months):

Build a continuous monitoring and reporting system for cross-border data transfers
Develop a Vendor Assessment process for new overseas service providers
Conduct annual readiness assessments

Read more about PDPA readiness in other areas at PDPA Checklist 2026

Conclusion: Managing cross-border data systematically

Sending personal data outside Thailand is not something organizations must avoid—but it must be done within the proper legal framework. There are three key points organizations need to recognize:

Know where the data goes — Data Mapping that includes cross-border data flows is an essential starting point.
Choose the right mechanism — No single mechanism fits every case. The right choice depends on the nature of the transfer, the destination country, and the relationship with the recipient.
Document and monitor — The law requires evidence of compliance. Good recordkeeping helps reduce risk in the event of regulatory scrutiny.

If your organization is looking for a system that makes PDPA management structured and auditable, PrivacyHub by Enersys is designed specifically for this need. Its Cross-Border Data Transfer Management module enables Compliance teams to track cross-border transfers in one place, manage DPAs and SCCs systematically, and generate compliance reports ready to present to executives and regulators.

Enersys’s PDPA specialists are ready to help assess your current status and design an approach tailored to your organization’s context. Consult the Enersys team today for a no-cost preliminary analysis.

ลิงก์ที่เกี่ยวข้อง

PrivacyHub

Privacy Governance Platform สำหรับองค์กรไทย

PDPA Compliance Assessment

ประเมิน PDPA Compliance Score ฟรี

ติดต่อปรึกษา PDPA

พูดคุยกับผู้เชี่ยวชาญ

Back to Insights