Regulation 2016/679 clearly determines the roles and responsibilities of certain figures who are in charge of the company's data protection system.

The apex of the system continues to be that of the data controller and the Regulation specifies the boundaries of liability both in the case of a joint relationship with other controllers regarding the same processing (joint-controllers) and in relation to potential processors.

Even the figure of the processor takes on a better defined connotation, with clear and direct assumption of responsibility.

Persons who use personal data under the direct authority of the Controller or Processor must receive specific instructions from the Controller. On this regard, the Regulation 2016/679, as already set out in Directive 95/46, considers the aforementioned a specific security measure (Article 32.5).

Lastly, the role of the DPO – whose designation in certain circumstances is mandatory – has a function of monitoring the proper functioning of the system (Article 37).

The undertaking is mentioned in the discipline introduced by the Regulation under several profiles:

Regarding the subjective scope, Regulation 2016/679 clarifies that it does not apply to «the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.» [Recital (14)].

For "enterprise", according to the Regulation, "a natural or legal person engaged in an economic activity, irrespective of its legal form" [art. 4, 18)]; therefore both natural persons, such as professionals, associations and consortia who are regularly engaged in an economic activity. It follows that the enterprise which does not have legal personality still falls under the subjective scope of the safeguards recognized by Regulation 2016/679. Therefore, the criterion of discrimination for the applicability of the provisions of the Regulation from a subjective point of view, is not so much the pursuit of an economic activity (as in the perspective of consumer law), but the fact that the enterprise the potentially identifiable information refer to has legal personality or not.

Regulation 2016/679 takes on board the impact that the reform framework may have on SMEs: these are identified in accordance «with Article 2 of the Annex of the Commission Recommendation 2003/361/EC» [Recital ( 13)].

For organizations with less than 250 employees, only one exception is foreseen for the retention of the record of processing, except in certain cases (Article 30.5). The Regulation draft submitted by the Commission considered other facilitations for SMEs, which were no longer reproduced in the final version of the Regulation, such as:

In any case, according to Regulation 2016/679, «the Union institutions and bodies, and Member States and their supervisory authorities, are encouraged to take account of the specific needs of micro, small and medium-sized enterprises in the application of this Regulation.» [Recital (13)].