With this policy, we aim to:

·  Establish a clear and consistent framework for processing personal data at Sarabel.
·  Promote awareness of data privacy among staff and stakeholders.
·  Ensure compliance with applicable data protection laws and regulations.

We align our definitions with those provided by the GDPR:

·  Data Subject: The identified or identifiable natural person whose data is processed.
·  Personal Data: Any information related to an identifiable individual (e.g., name, ID number, location data, online identifiers, physical or economic attributes).
·  Special Category Data: Sensitive data such as racial or ethnic origin, political opinions, religious beliefs, union membership, genetic and biometric data, health data, and sexual orientation.
·  Processing: Any operation performed on personal data, such as collection, recording, organisation, storage, alteration, retrieval, consultation, use, transmission, dissemination, or erasure.
·  Controller: The party that determines the purposes and means of processing personal data.
·  Processor: A party that processes personal data on behalf of the controller.
·  Automated Processing: Any form of processing carried out with the aid of computers or other automated systems.
·  Filing System: A structured set of personal data accessible according to specific criteria.
·  Recipient: A person or organisation to whom personal data is disclosed.
·  Third Party: Any party other than the data subject, controller, processor, or individuals under their direct authority.
·  Data Protection Officer (DPO): An appointed person responsible for monitoring internal compliance with data protection laws.
·  Consent: Freely given, specific, informed, and unambiguous indication of the data subject’s agreement to processing.
·  Supervisory Authority: An independent public authority responsible for monitoring compliance (e.g. the Dutch Data Protection Authority – Autoriteit Persoonsgegevens).
·  Profiling: Automated processing of personal data to analyse or predict personal characteristics.
·  Pseudonymisation: Processing personal data in a way that the data can no longer be attributed to a specific individual without additional information.
·  Representative: A party appointed in writing to act on behalf of the controller or processor in the EU.
·  Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data.

This policy applies to all personal data processed within Sarabel. This includes but is not limited to employees, clients, visitors, service users, and contractors.
It also applies to all data processing operations, whether fully or partially automated, and to any structured data intended for inclusion in a filing system (including written data that will later be digitised).

Sarabel collects and processes personal data strictly for defined and legitimate purposes that are essential to the continuity of our services. These purposes include payroll processing, HR management, income tax and healthcare declarations for individuals and entrepreneurs, and the provision of bookkeeping services. Personal data will never be used for secondary purposes without informing the data subject and evaluating whether the new use is compatible with the original intent, as per Article 6(4) GDPR.

We only process personal data that is necessary, relevant, and proportionate to the purpose for which it is collected. Any data that does not directly contribute to the specified objective is not retained or processed. This reflects our commitment to the principle of data minimisation under the GDPR.

Every processing activity is based on a lawful ground as set out in Article 6(1) of the GDPR. This may include the data subject’s consent, contractual necessity, legal obligations, or our legitimate interest. For special category data, we rely on a specific exemption under Article 9(2). When consent is used as the basis for processing, Sarabel ensures that such consent is freely given, informed, and demonstrable. Data subjects have the right to withdraw their consent at any time.

Processing of criminal records or offence-related data is only allowed under the direct supervision of competent authorities and where permitted by national legislation.

Sarabel provides clear and complete information to all data subjects about how their personal data is processed. This includes the purpose of processing, the legal basis, retention periods, recipients, and contact details. When data is obtained directly from the data subject, this information is given at the time of collection. When data is obtained indirectly, the information is provided within one month or at the point of first contact, whichever comes first, unless an exemption applies under Article 14(5) GDPR.

We do not process the personal data of children under the age of 16 via online services without the verifiable consent of a parent or legal guardian. Children’s data is not used for profiling unless it is strictly necessary and legally justified.

All processing activities conducted by Sarabel are documented in a Record of Processing Activities, in accordance with Article 30 of the GDPR. This register is maintained internally and reviewed regularly.

We retain personal data only as long as necessary for the purposes for which it was collected, or to comply with legal obligations. When data is no longer needed, it is securely deleted, anonymised, or archived. Our standard retention period is seven (7) years, in line with Dutch tax regulations. Data may be retained for longer where required for historical, statistical, or scientific purposes, subject to appropriate safeguards.

The management of Sarabel is responsible for defining the purpose and means of all personal data processing activities, in accordance with the General Data Protection Regulation (GDPR). This privacy policy is designed to safeguard the rights of all data subjects and ensure lawful and transparent data processing throughout our organisation.

Privacy is structurally embedded into our organisation at three levels. At the strategic level, Sarabel defines the scope, ambitions, and compliance framework for data protection. At the tactical level, this framework is translated into concrete policies, operational standards, and monitoring tools. At the operational level, privacy-related tasks are carried out in daily business activities.

Ongoing monitoring ensures that our privacy policy remains effective and up to date. Internal checks and evaluations are conducted regularly. Where non-compliance is identified, appropriate corrective action is taken. Staff may be held accountable for serious violations of data protection laws or internal procedures.

Technological and organisational developments are continually assessed to improve and adapt our safeguards. Privacy protection is not static, it is actively managed.

Sarabel is committed to ensuring a high level of data security. Personal data is handled with strict confidentiality, and security measures are taken to protect against unauthorised access, loss, misuse, or unlawful processing. These measures include technical safeguards (such as encryption and secure data storage) and organisational controls (such as limited access rights and regular audits).

We apply the principles of Privacy by Design and Privacy by Default in all systems and workflows. This means we integrate data protection into the design of our IT infrastructure and business processes, and ensure that only the minimum amount of personal data necessary is collected and used by default.

All employees, contractors, and relevant third parties are required to treat personal data as confidential. Disclosure of data is only permitted when required by law or when explicit consent has been given. A confidentiality obligation is standard within Sarabel’s internal data protection procedures.

When Sarabel engages external parties to process personal data on its behalf, we enter into a Data Processing Agreement. This agreement specifies the scope of processing, security requirements, and the processor’s obligation to act only under Sarabel’s instructions. These agreements are essential to protect data subjects’ rights and ensure compliance with legal standards.

Personal data may be shared with third parties within the European Union, including IT providers, payroll services, accountants, or tax authorities, when legally justified. Any such data sharing is conducted under the terms set by the GDPR. Special category data is only shared with explicit consent from the data subject unless otherwise permitted by law.

If personal data is transferred outside the European Economic Area (EEA), this will only occur when adequate safeguards are in place, such as an adequacy decision by the European Commission or Standard Contractual Clauses (SCCs). In the absence of such measures, Sarabel implements additional appropriate safeguards. Copies of these safeguards are available upon request. Transfers of special category data require explicit consent from the data subject.

All incidents involving personal data  including complaints, breaches, or suspected misuse must be reported directly to Sarsorti B.V. An incident log is maintained internally, and any individual can report a concern through our designated contact point.

Upon notification of an incident, Sarabel’s responsible manager will assess and handle the matter appropriately. Where required, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, if applicable, the affected data subjects. Serious incidents that pose a risk to rights and freedoms will be treated with urgency and transparency.

All incidents are reviewed at least annually. The goal is to identify patterns, improve internal procedures, and reduce future risks. This evaluation forms part of Sarabel’s continuous improvement of data protection practices.

De betrokkene heeft allereerst het recht op informatie. Dit recht ontstaat op het moment dat wij de
persoonsgegevens van betrokkenen verkrijgen. Dit noemen wij de Privacy Verklaring. In deze verklaring wordt de betrokkene op de hoogte gebracht van een aantal zaken. Deze zaken zijn opgenomen in art. 13 AVG of art. 14 AVG. Bij deze informatie wordt ook medegedeeld welke rechten de betrokkene heeft met betrekking tot zijn persoonsgegevens.

De betrokkene krijgt op zijn verzoek inzage in de persoonsgegevens die van de betrokkene zijn verwerkt. Zo'n verzoek wordt gericht aan: Sarabel. Wanneer het een minderjarige betreft moet ook de vertegenwoordiger dit verzoek doen.
‍
Om te voldoen aan zo'n verzoek moet de betrokkene de volgende informatie worden verstrekt met betrekking tot die persoonsgegevens zijn genoemd in art. 15 AVG. Bij een herhaaldelijk verzoek mogen kosten in rekening worden gebracht.

Mocht het voorkomen dat de persoonsgegevens onjuist of onvolledig zijn, dan zullen wij deze persoonsgegevens zo snel als mogelijk verbeteren of aanvullen.

Wij wissen de persoonsgegevens op het moment dat sprake is van één van de situaties zoals die genoemd worden in art. 17 AVG. In dit artikel worden in het 3de lid ook een aantal uitzonderingen op dit recht genoemd. Dit gebeurt zonder redelijke vertraging.

Onder bepaalde omstandigheden heeft een betrokkene het recht om aan de beperking van de verwerking van de persoonsgegevens te verzoeken. Deze omstandigheden worden genoemd in art. 18 AVG.
De ontvangers van de persoonsgegevens brengen wij op de hoogte als één van de bovenstaande situaties aan de orde is.

Op verzoek van een betrokkene zullen wij, zover als mogelijk, zijn persoonsgegevens verstrekken in een gestructureerde, gangbare en machine-leesbare vorm verstrekken op het moment dat de betrokkene toestemming heeft gegeven voor het gebruik van zijn persoonsgegevens of de verwerking via automatische procedures worden verricht.

De betrokkene heeft het recht om op basis van persoonlijke omstandigheden bezwaar te maken tegen de verwerking van zijn persoonsgegevens wanneer deze verwerking gebaseerd is op een belangenafweging zoals genoemd in art. 6 lid 1 sub e of f. Dit geldt ook voor de profilering en of direct marketing.

Slechts in een aantal gevallen mogen wij gebruik maken van uitsluitend geautomatiseerde besluitvorming, met inbegrip van profilering, waarbij voor de betrokkene gevolgen kunnen ontstaan of de betrokkene op andere manier ernstig kan raken. Dit is in de volgende gevallen:.
·  Wanneer dit noodzakelijk is voor de totstandkoming of de uitvoering van een overeenkomst tussen    ons en de betrokkene, of;
·  Wanneer de betrokkene hier toestemming voor gegeven heeft, of;
·  Wanneer dit wordt gedaan op basis van de wet.

In de eerste twee gevallen heeft de betrokkene recht op menselijke tussenkomst.

Iedere betrokkene kan een klacht indienen wanneer de betrokkene van mening is dat zijn rechten niet worden gehandhaafd door onze organisatie. De betrokkene kan een klacht indienen bij de Autoriteit Persoonsgegevens (AP). Voor de betrokkene bestaat ook de mogelijkheid om naar de rechter te gaan.