The controller is the one who determines the purposes and the means of the processing. In case of a company, the controller is the company itself and not the person representing it or charged to manage privacy.
The controller may appoint one or more external processors to whom assign some particular activities (computer maintenance, management of data in cloud, hosting, etc.). They should act following the guidelines given by the controller but, given their expertise, they would have a certain autonomy in the means used.
The Regulation foresees that the processor should be charged with a written contract. Another news is that the processor can also appoint for specific activities another processor who could in turn delegate.
The controller is always responsible for privacy infringement, in some cases jointly and severally with the processor of the mentioned processing.
There could be joint controllers when more subjects process data for the same purpose and decide the related means. In this case, an agreement establishing the tasks and the responsibilities should be prepared.
Next to the controller and the processors there are the employees of the company who should know the means of the processing.
The company has to carry out regular training courses for employees.
The Regulation introduces the new position of the DPO (Data Privacy Officer), a sort of consultant inside or outside the company, who advises the controller about the security measures to adopt and faces data subjects and the Privacy Supervisor authority.
Only in some cases, the DPO should be necessarily appointed (if the data processing is made by public authorities, or in case of a regular full-scale activity monitoring the data subject, full-scale processing of sensitive or judicial data), but it can always be optionally appointed.
The non-UE companies that non occasionally process data in the Union should appoint a Representative in the Union who represents and deals with each matter which may cause obligations rising from the Regulation for a foreign company.
The appointment of a Representative in the Union is mandatory for the non-EU companies when they meet all the following conditions: the controller is not a public subject; art. 3.2 do apply (offer of goods and services in the Union even without the request of a payment); the processing is not occasional; it concerns a large scale sensitive or judicial data; there is a risk for the data subjects.