This website was chosen by your employer, 'the controller' of your personal information, to bring you a range of benefits on their behalf.
In this relationship, we are 'the processor' of personal information. We are contractually obliged to provide the service to your employer and we cannot provide the service without processing your personal information.
Caboodle only ever act under written instruction issued by your employer in the processing of your personal information. We have a data processing contract in place with your employer to ensure we protect and fairly process your personal information.
All controllers must establish and document their lawful basis for processing data before the processing activity commences. Your employer has established the lawful reason for caboodle processing your personal information. You have certain rights under the General Data Protection Regulation (CEU 2016/679) which are listed below. We have indicated where the decision for granting your rights rests directly with your employer.
Caboodle takes adequate steps to prevent unauthorised access to personal information, including implementing technological and operational security measures in accordance with ISO27001, documenting our processing activities, data processing contracts with sub-processors and suppliers, and appointing a Data Protection (Compliance) Officer.
Where information is requested from you to apply for a scheme, you are responsible for ensuring the information provided to caboodle is accurate, including updating the information with any changes when they occur. It is our recommendation that when setting up childcare voucher scheme payments that you do not include your child's name as the reference for security and data protection purposes. Any additional information provided that the system does not require, is provided at your own risk.
Why we collect your information
Caboodle cannot fulfil its contractual obligations to your employer without processing personal information.
The personal information collected is adequate, relevant and limited to what is necessary in relation to the processing purpose, which is the provision of employee benefits and communications.
Under GDPR, you have rights in relation to the processing of your personal information.
1. The right to be informed
Your employer decides how information will be collected. In some cases, personal information is collected and passed from your employer to caboodle before you register to Salary Extras. In other cases, you register and provide your information yourself.
The Information We Collect
The information we collect includes:
- First name, Surname and Title
- Payroll/Employee Number
- National Insurance Number
- Date of Birth
- Home address
- Telephone numbers
- E-mail addresses
- Salary details
- Hours worked
- Details of benefit entitlement
- Details of benefit spend
- Telephone conversations
For security and performance monitoring, caboodle also process IP addresses.
Use of Information
1. Employee Benefits
We require your personal information to:
- Ensure that your personal details will be assigned to your online
- Ensure the accuracy of your benefit application and any salary deductions
- Ensure when you apply for benefits, your application does not take your salary to below National Minimum Wage or to comply with other HMRC guidelines
- Ensure your application complies with the limits or rules your company sets against each scheme
- Ensure you can apply successfully for a benefit over the phone using the customer care centre
- Ensure you receive the benefits you have been approved to receive
- Contact you by email or through the messaging service about your benefits
- Perform any other services your employer has contracted us to perform
Any personal information shared during a telephone conversation with one of our operators is always kept strictly confidential. Calls are recorded for training and monitoring purposes to ensure caboodle maintains its high standards of customer service.
A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer.
If you decline cookies, please be aware that this may impair your ability to use some areas of the website.
You will be emailed about some of your activity on Salary Extras.
System-generated emails will inform you when you:
- Successfully register to the platform
- Reset your password
- Apply for, have been approved for, or rejected for schemes via the online application facility within Salary Extras.
Caboodle will never share, sell, lease or distribute your data for direct marketing. We will never contact you by email, telephone or by post with any marketing communication.
Occasionally, when instructed to do so by your employer, we may contact you via the Salary Extras message centre, via email from caboodle, or use a third-party email service to email you with information about your benefits to the email address you registered to the platform with. You will be sent this information so that you are aware of company and employment information that your employer considers important.
Transfer of Information
Where information is provided by your employer, your personal information is transferred to caboodle using the secure method agreed by your employer.
Where data is shared with a third-party or sub-processor are engaged, it is for one of the following reasons:
- Acting under the written instructions of the controller
- For the performance of a contract with the controller
- To fulfil our legal obligations
In such cases, your employer will be aware and will have asked us to release this data to a specified sub-processor or third party. Where required, service providers have signed the relevant contractual agreements with us to ensure adequate levels of data protection. These companies are required to act in accordance with the instructions we give them and they must meet the requirements of the GDPR to keep your personal information secure. When we share data, we only share the minimum required for that application or communication, and service providers are not permitted to use the data for any purpose other than the purpose it has been expressly provided for.
Data is shared with any of the following third parties:
- UKFast - Servers
- Emailcenter Email service (Maxemail)
- Independent bicycle retailers
- Specialist Computer Centres (SCC)
- John Lewis
- First Capital Cash Flow (FCC)
- Next Jump
- County Print
- UKIT Networks
- AFM (Asset Finance/Management)
- Akira Financial
- SVM Europe
- Unum Dental
- Alcumus ISOQAR
Caboodle hosts a variety of voluntary benefit providers on the Salary Extras platform for which services you will transact directly with the provider on their web application via an external link from Salary Extras. You are advised to read and accept their Privacy Policies and terms and conditions of use and select the appropriate tick-boxes where indicated to capture your marketing preferences for these companies.
Where required by your employer, your information may be processed outside of the European Economic Area (EEA) and only where adequate safeguards for the protection of your information have been proven. Please contact us if you have any questions about the transfer of your personal data outside of the EEA.
Storage of Information
Unless otherwise agreed with your employer, all information you provide to us is stored on our secure servers in the UK. Unfortunately, the transmission of information via the internet is not completely secure. Although we have certified measures in place to protect your personal data according to ISO27001 (certificate number: 14657), we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we use strict procedures and security features to try to prevent unauthorised access to it.
Retention and Deletion
Your personal information will be held according to the following criteria:
- The period your employer tells us to retain it for
- Until your employer tells us to delete the information
- According to legal obligation
We may retain your information for HMRC regulatory or other legal reasons even if you request, or your employer instructs us, to delete your information. The current minimum regulatory period for retention according to HMRC is 6 years plus the following accounting year after the last record was processed.
If you do not have a salary sacrifice scheme application subject to HMRC regulation and your employer instructs us to, your personal information will be securely deleted from Salary Extras and any other systems.
While your information is retained, caboodle will respect your applicable privacy rights and its obligations to accountability for data protection under GDPR.
2. The right of access
You have a right to access your personal data from the data controller of your personal information, so that you are aware of and can verify the lawfulness of the processing. This is commonly known as a 'subject access request'.
You may at any time make a written request for a copy of the personal information your employer, as the data controller, has on record for you which will include any information we process on their behalf.
We will await their instruction in processing the request. If your employer asks us to, we will respond to the request within one month. If we process information about you, your employer will confirm this and advise of the following:
- give you a description of the personal data;
- tell you why we are holding it;
- tell you who your personal data could be disclosed to; and
- let you have a copy in an intelligible form.
Your employer, as the data controller, is responsible for your right of access and should be contacted directly to make a right of access request.
3. The right to rectification
You have the right to have personal data rectified if it is inaccurate or incomplete.
As controller of your personal information, your employer ensures the accuracy of your data. Your employer checks that personal information is accurate and tells us when to update it. When provided by your employer, caboodle will rectify personal data within one month of receipt.
In some cases, if your employer prefers you to self-serve your own personal information, you will be able to update any inaccurate information yourself on the 'Personal Details' page of Salary Extras.
Please contact your employer directly to make a right to rectification request, unless you can update the information yourself.
4. The right to erasure
You have the right to request your personal data is deleted or removed where there is no compelling reason for its continued processing. Personal data will be deleted under these circumstances:
- Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- When you withdraw consent.
- When you object to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child
Where the right to erasure does not apply, your employer or caboodle will refuse to deal with a request.
You should contact your employer directly to make a right to erasure request who will contact us accordingly.
5. The right to restrict processing
You have a right to ask us to suspend processing of personal data under the following circumstances:
- you contest the accuracy of your personal data;
- the data has been unlawfully processed (i.e. in breach of the lawful reason for processing) but you do not want us to delete it;
- you no longer need the personal data but you need to keep it in order to establish, exercise or defend a legal claim; or
- you object to caboodle processing your data but we need to verify whether we have overriding legitimate grounds to use it.
6. The right to data portability
The right to portability allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, so that you can reuse for their own purposes.
Requests made in relation to your right to data portability can be made using any of the contact methods in the 'contact us' section of this policy.
Caboodle will ensure you obtain a machine-readable copy of the information held by any caboodle Technology system according to procedure, within one month of the request being made.
7. The right to object
You have the right to object to:
- processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
- direct marketing (including profiling); and
- processing for purposes of scientific/historical research and statistics;
on grounds relating to your particular situation.
8. Rights in relation to automated decision making and profiling
Any information about processing based on automated individual decision-making and profiling is laid out here. Salary Sacrifice schemes are subject to HMRC regulation which sets rules for applications. Applicants must be over 18 and the application must not take the employee below the national minimum wage. However, at the discretion of your employer, applicants may be allowed to apply for certain benefits against these criteria; usually, this is managed in-house at your company. Salary Extras has age and wage limitations automatically set within its salary sacrifice schemes. Where your application is automatically rejected by the Salary Extras system due to these limitations, caboodle have ways for you to request human intervention or challenge a decision and we carry out regular checks to make sure that caboodle are working as intended.
Caboodle reserve the right to divulge information when we are required to do so by law, for example under a court order or provisions contained in legislation.
If you have any questions or concerns relating to the processing of your personal information by caboodle, please contact:
Caboodle Technology Ltd
Or email: firstname.lastname@example.org
Call: 0330 1000 911
Changes to the policy
We may change this policy from time to time as we add new services or features, or in response to changes in the law or our commercial arrangements. Any changes to this policy will be posted on this website. The last time this policy was updated was May 2018.