The European Commission issued a guide for transferring data outside of the EU after Schrems’s sentence: http://europa.eu/rapid/press-release_MEMO-15-6014_en.htm.
We now have two ways: using contractual clauses or binding corporate rules (BCR). These two methods are applicable to all transfers to Countries for which there is not an authorization by the European Commission or a local privacy authority.
Some guidelines are available to help controllers:
- Standard contractual clauses for transfers to another controller: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1447323316386&uri=CELEX:32004D0915 (from CE decision 915 of 2004);
- Standard contractual clauses for transfers to an external processor: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1447323878179&uri=CELEX:32010D0087 (CE decision 87 of 2010);
- BCR scheme by Art. 29 Working Party, on documents WP 153, WP 154 and WP 155; such documents can be retrieved from http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.
Standard contractual clauses are available in other languages than English.