FAQ

Who is responsible for data protection in the company?

Responsibility remains with company management. Tasks can be delegated, but responsibility for decisions, priorities, and the use of suitable service providers cannot.

When is a Data Protection Officer useful?

That depends on the type and scope of processing, on legal obligations, and on the degree of internal organization. Even where there is no formal obligation, external support can make sense in order to anchor data protection in a structured way.

How extensive does ISO 9001 documentation need to be?

As extensive as necessary, but as lean as possible. Documentation should map processes, roles, and evidence—rather than covering the organization with text.

What is the value of an internal audit if not everything is perfect yet?

That is exactly when an internal audit is valuable. It shows where rules, evidence, or responsibilities are still unclear and which measures will have an effect first.

What is specifically checked in a website audit?

Typically: tracking and cookie logic, forms, newsletter flows, external services, hosting, update maintenance, roles, redirects, security basics, and the data-protection classification of these points.

Is data protection only a legal topic?

No. Data protection always also has organizational and technical aspects. Without clean processes and without a technical assessment, legal requirements remain difficult to implement in day-to-day operations.

How quickly can a robust baseline be established?

That depends on what already exists. In most cases, an initial structured working baseline can be reached significantly faster than a complete final version. The key is to prioritize the topics sensibly.

How are data protection, quality management, and website operations connected?

They share the same underlying question: Which processes are controlled, documented, reviewed, and improved—and how? That is exactly why many topics are better handled together rather than in isolation.