With this policy, we aim to:

·  Establish a clear and consistent framework for processing personal data at Sarabel.
·  Promote awareness of data privacy among staff and stakeholders.
·  Ensure compliance with applicable data protection laws and regulations.

We align our definitions with those provided by the GDPR:

·  Data Subject: The identified or identifiable natural person whose data is processed.
·  Personal Data: Any information related to an identifiable individual (e.g., name, ID number, location data, online identifiers, physical or economic attributes).
·  Special Category Data: Sensitive data such as racial or ethnic origin, political opinions, religious beliefs, union membership, genetic and biometric data, health data, and sexual orientation.
·  Processing: Any operation performed on personal data, such as collection, recording, organisation, storage, alteration, retrieval, consultation, use, transmission, dissemination, or erasure.
·  Controller: The party that determines the purposes and means of processing personal data.
·  Processor: A party that processes personal data on behalf of the controller.
·  Automated Processing: Any form of processing carried out with the aid of computers or other automated systems.
·  Filing System: A structured set of personal data accessible according to specific criteria.
·  Recipient: A person or organisation to whom personal data is disclosed.
·  Third Party: Any party other than the data subject, controller, processor, or individuals under their direct authority.
·  Data Protection Officer (DPO): An appointed person responsible for monitoring internal compliance with data protection laws.
·  Consent: Freely given, specific, informed, and unambiguous indication of the data subject’s agreement to processing.
·  Supervisory Authority: An independent public authority responsible for monitoring compliance (e.g. the Dutch Data Protection Authority – Autoriteit Persoonsgegevens).
·  Profiling: Automated processing of personal data to analyse or predict personal characteristics.
·  Pseudonymisation: Processing personal data in a way that the data can no longer be attributed to a specific individual without additional information.
·  Representative: A party appointed in writing to act on behalf of the controller or processor in the EU.
·  Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of or access to personal data.

This policy applies to all personal data processed within Sarabel. This includes but is not limited to employees, clients, visitors, service users, and contractors.
It also applies to all data processing operations, whether fully or partially automated, and to any structured data intended for inclusion in a filing system (including written data that will later be digitised).

Sarabel collects and processes personal data strictly for defined and legitimate purposes that are essential to the continuity of our services. These purposes include payroll processing, HR management, income tax and healthcare declarations for individuals and entrepreneurs, and the provision of bookkeeping services. Personal data will never be used for secondary purposes without informing the data subject and evaluating whether the new use is compatible with the original intent, as per Article 6(4) GDPR.

We only process personal data that is necessary, relevant, and proportionate to the purpose for which it is collected. Any data that does not directly contribute to the specified objective is not retained or processed. This reflects our commitment to the principle of data minimisation under the GDPR.

Every processing activity is based on a lawful ground as set out in Article 6(1) of the GDPR. This may include the data subject’s consent, contractual necessity, legal obligations, or our legitimate interest. For special category data, we rely on a specific exemption under Article 9(2). When consent is used as the basis for processing, Sarabel ensures that such consent is freely given, informed, and demonstrable. Data subjects have the right to withdraw their consent at any time.

Processing of criminal records or offence-related data is only allowed under the direct supervision of competent authorities and where permitted by national legislation.

Sarabel provides clear and complete information to all data subjects about how their personal data is processed. This includes the purpose of processing, the legal basis, retention periods, recipients, and contact details. When data is obtained directly from the data subject, this information is given at the time of collection. When data is obtained indirectly, the information is provided within one month or at the point of first contact, whichever comes first, unless an exemption applies under Article 14(5) GDPR.

We do not process the personal data of children under the age of 16 via online services without the verifiable consent of a parent or legal guardian. Children’s data is not used for profiling unless it is strictly necessary and legally justified.

All processing activities conducted by Sarabel are documented in a Record of Processing Activities, in accordance with Article 30 of the GDPR. This register is maintained internally and reviewed regularly.

We retain personal data only as long as necessary for the purposes for which it was collected, or to comply with legal obligations. When data is no longer needed, it is securely deleted, anonymised, or archived. Our standard retention period is seven (7) years, in line with Dutch tax regulations. Data may be retained for longer where required for historical, statistical, or scientific purposes, subject to appropriate safeguards.

The management of Sarabel is responsible for defining the purpose and means of all personal data processing activities, in accordance with the General Data Protection Regulation (GDPR). This privacy policy is designed to safeguard the rights of all data subjects and ensure lawful and transparent data processing throughout our organisation.

Privacy is structurally embedded into our organisation at three levels. At the strategic level, Sarabel defines the scope, ambitions, and compliance framework for data protection. At the tactical level, this framework is translated into concrete policies, operational standards, and monitoring tools. At the operational level, privacy-related tasks are carried out in daily business activities.

Ongoing monitoring ensures that our privacy policy remains effective and up to date. Internal checks and evaluations are conducted regularly. Where non-compliance is identified, appropriate corrective action is taken. Staff may be held accountable for serious violations of data protection laws or internal procedures.

Technological and organisational developments are continually assessed to improve and adapt our safeguards. Privacy protection is not static, it is actively managed.

Sarabel is committed to ensuring a high level of data security. Personal data is handled with strict confidentiality, and security measures are taken to protect against unauthorised access, loss, misuse, or unlawful processing. These measures include technical safeguards (such as encryption and secure data storage) and organisational controls (such as limited access rights and regular audits).

We apply the principles of Privacy by Design and Privacy by Default in all systems and workflows. This means we integrate data protection into the design of our IT infrastructure and business processes, and ensure that only the minimum amount of personal data necessary is collected and used by default.

All employees, contractors, and relevant third parties are required to treat personal data as confidential. Disclosure of data is only permitted when required by law or when explicit consent has been given. A confidentiality obligation is standard within Sarabel’s internal data protection procedures.

When Sarabel engages external parties to process personal data on its behalf, we enter into a Data Processing Agreement. This agreement specifies the scope of processing, security requirements, and the processor’s obligation to act only under Sarabel’s instructions. These agreements are essential to protect data subjects’ rights and ensure compliance with legal standards.

Personal data may be shared with third parties within the European Union, including IT providers, payroll services, accountants, or tax authorities, when legally justified. Any such data sharing is conducted under the terms set by the GDPR. Special category data is only shared with explicit consent from the data subject unless otherwise permitted by law.

If personal data is transferred outside the European Economic Area (EEA), this will only occur when adequate safeguards are in place, such as an adequacy decision by the European Commission or Standard Contractual Clauses (SCCs). In the absence of such measures, Sarabel implements additional appropriate safeguards. Copies of these safeguards are available upon request. Transfers of special category data require explicit consent from the data subject.

All incidents involving personal data  including complaints, breaches, or suspected misuse must be reported directly to Sarsorti B.V. An incident log is maintained internally, and any individual can report a concern through our designated contact point.

Upon notification of an incident, Sarabel’s responsible manager will assess and handle the matter appropriately. Where required, we will notify the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and, if applicable, the affected data subjects. Serious incidents that pose a risk to rights and freedoms will be treated with urgency and transparency.

All incidents are reviewed at least annually. The goal is to identify patterns, improve internal procedures, and reduce future risks. This evaluation forms part of Sarabel’s continuous improvement of data protection practices.

The data subject has, first and foremost, the right to be informed. This right arises at the moment we obtain the personal data of the data subject. This information is provided through our Privacy Policy. In this policy, the data subject is informed about a number of matters, as set out in Article 13 of the GDPR or Article 14 of the GDPR.
This information also includes details of the rights the data subject has with regard to their personal data.

The data subject has the right, upon request, to obtain access to the personal data relating to them that are being processed. Such a request should be addressed to Sarabel. Where the data subject is a minor, the request must also be made by their legal representative.

In order to comply with such a request, the data subject will be provided with the information relating to their personal data as set out in Article 15 of the GDPR. In the case of repeated requests, a fee may be charged.

Where personal data are incorrect or incomplete, we will correct or supplement such personal data as soon as possible.

We will erase personal data where one of the situations referred to in Article 17 of the GDPR applies. Article 17(3) of the GDPR also sets out a number of exceptions to this right. Erasure will take place without undue delay.

Under certain circumstances, a data subject has the right to request the restriction of the processing of their personal data. These circumstances are set out in Article 18 of the GDPR.

We will inform the recipients of the personal data where any of the above situations apply.

Upon request by a data subject, and where possible, we will provide their personal data in a structured, commonly used and machine-readable format where the data subject has given consent for the use of their personal data or where the processing is carried out by automated means.

The data subject has the right to object, on grounds relating to their particular situation, to the processing of their personal data where such processing is based on a legitimate interest or the performance of a task carried out in the public interest, as referred to in Article 6(1)(e) or (f) of the GDPR. This right also applies to profiling and/or direct marketing.

We may only use solely automated decision-making, including profiling, which produces legal effects concerning the data subject or similarly significantly affects them, in a limited number of cases, namely:
• where such processing is necessary for the conclusion or performance of a contract between us and the data subject; or
• where the data subject has given explicit consent; or
• where such processing is authorised by law.

In the first two cases, the data subject has the right to obtain human intervention.

Any data subject may lodge a complaint if they believe that their rights are not being respected by our organisation. The data subject may submit a complaint to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens – AP). The data subject also has the right to bring the matter before a court.