Question about GDPR Article 27

I hope your week is going well.

We have bought several of your products and love everyone of them.  We had a question about GDPR article 27.  We are working with one of our customers on their GDPR annual audit and one of the questions that is asked for Article 27 is: "Is your organisation established outside of the European Union"?

This customer is US Based, but has a corporation established in both the UK and Ireland.  They do all of their EU business from either the UK or the Ireland companies and have "Data Champions" in place at each company in the UK and Ireland.  Since they have a corporate entity in the EU, are they allowed to answer the "Is your organisation established outside of the European Union" question "No"?

If the US company has an office or a branch in Ireland or in the UK can be considered established in the EU and therefore answering “NO” is the right choice. In fact, recital 22 of the Preamble of GDPR states that “[e]stablishment implies the effective and real exercise of activities through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect.”

The Guidelines on the territorial scope of the GDPR adopted by the European Data Protection Board (EDPB) on 16th November 2018 states that: “In order to determine whether an entity based outside the Union has an establishment in a Member State, both the degree of stability of the arrangements and the effective exercise of activities in that Member State must be considered in the light of the specific nature of the economic activities and the provision of services concerned. This is particularly true for undertakings offering services exclusively over the Internet. The threshold for “stable arrangement” can actually be quite low when the center of activities of a controller concerns the provision of services online. As a result, in some circumstances, the presence of one single employee or agent of the non-EU entity may be sufficient to constitute a stable arrangement if that employee or agent acts with a sufficient degree of stability.”

This means that if the EU business of your US client is carried through the UK and the Irish branch, that organizations can be considered as a stable arrangements and the company can be considered as established in the EU.

Here you can find more information:
Guidelines on the territorial scope of the GDPR  https://edpb.europa.eu/sites/edpb/files/consultation/edpb_guidelines_3_2018_territorial_scope_en.pdf

What is the EU GDPR and why is it applicable to the whole world? https://advisera.com/eugdpracademy/knowledgebase/what-is-the-eu-gdpr-and-why-is-it-applicable-to-the-whole-world/
You can also consider enrolling in this free online training EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course//