This service was chosen by your employer, 'the controller' of your personal information, to bring you a range of benefits on their behalf.
In this relationship, we are 'the processor' of personal information where it is provided your employer. We are contractually obliged to provide the service to your employer, and we cannot provide the service without processing your personal information.
Caboodle only ever act under written instruction issued by your employer in the processing of your personal information. We have a data processing contract in place with your employer to ensure we protect and fairly process your personal information.
Where you provide information as an individual, we are the controller of your personal information. For example, if you submit your mobile phone number through the account page (directly as a data subject, or not provided through your employer, the data controller)
You have certain rights under the General Data Protection Regulation (CEU 2016/679) which are listed below. We have indicated where the decision for granting your rights rests directly with your employer.
Caboodle takes adequate steps to prevent unauthorised access to personal information, including implementing technological and operational security measures in accordance with ISO27001, documenting our processing activities, data processing contracts with sub-processors and suppliers, and appointing a Data Protection (Compliance) Officer.
Where information is requested from you to apply for a scheme, you are responsible for ensuring the information provided to caboodle is accurate, including, where required updating the information with any changes when they occur. Any additional information provided that the system does not require, is provided at your own risk.
Caboodle cannot fulfil its contractual obligations to your employer without processing personal information.
The personal information collected is adequate, relevant and limited to what is necessary in relation to the processing purpose, which is the provision of employee benefits and communications.
Under UK GDPR, you have rights in relation to the processing of your personal information.
Your employer decides how information will be collected. In some cases, personal information is collected and passed from your employer to caboodle before you register to Salary Extras. In other cases, you register and provide your information yourself.
The information we collect includes:
For security and performance monitoring, caboodle also process IP addresses.
Examples of scenarios in which we would require your personal information include:
Any personal information shared during a telephone conversation with one of our operators is always kept strictly confidential. Calls are recorded for training and monitoring purposes to ensure caboodle maintains its high standards of customer service.
A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can modify your browser setting to decline cookies if you prefer.
If you decline cookies, please be aware that this may impair your ability to use some areas of the website.
You will be emailed about some of your activity on Salary Extras.
Caboodle will never share, sell lease or distribute your data to any external third party for direct marketing purposes.
We may contact you via the Salary Extras message centre, via email from caboodle, or use a third-party email service to provide you with information about your benefits. These emails will be sent to the email address you used to register on the platform.
Where information is provided by your employer, your personal information is transferred to caboodle using the secure method agreed by your employer.
Where data is shared with a third-party or sub-processor are engaged, it is for one of the following reasons:
In such cases, your employer will be aware and will have asked us to release this data to a specified sub-processor or third party. Where required, service providers have signed the relevant contractual agreements with us to ensure adequate levels of data protection. These companies are required to act in accordance with the instructions we give them, and they must meet the requirements of the GDPR to keep your personal information secure. When we share data, we only share the minimum required for that application or communication, and service providers are not permitted to use the data for any purpose other than the purpose it has been expressly provided for.
Caboodle hosts a variety of voluntary benefit providers on the Salary Extras platform for which services you will transact directly with the provider on their web application via an external link from Salary Extras. You are advised to read and accept their Privacy Policies and terms and conditions of use and select the appropriate tick-boxes where indicated to capture your marketing preferences for these companies.
Where required, your information may be processed outside of the European Economic Area (EEA) and only where adequate safeguards for the protection of your information have been proven. Please contact us if you have any questions about the transfer of your personal data outside of the EEA.
Unless otherwise agreed with your employer, all information you provide to us is stored on our secure servers in the UK. We have certified measures in place to protect your personal data according to ISO27001 (certificate number: 14657), Once we have received your information, we use strict procedures and security features to prevent unauthorised access to it.
Your personal information will be held according to the following criteria:
We may retain your information for HMRC regulatory or other legal reasons even if you request, or your employer instructs us, to delete your information. The current minimum regulatory period for retention according to HMRC is 6 years plus the following accounting year after the last record was processed.
If you do not have a salary sacrifice scheme application subject to HMRC regulation and your employer instructs us to, your personal information will be securely deleted from Salary Extras and any other systems.
While your information is retained, caboodle will respect your applicable privacy rights and its obligations to accountability for data protection under UK GDPR.
You have a right to access your personal data from the data controller of your personal information, so that you are aware of and can verify the lawfulness of the processing. This is commonly known as a 'subject access request'.
You may at any time make a written request for a copy of the personal information your employer, as the data controller, has on record for you which will include any information we process on their behalf. If your employer asks us to, we will respond to the request within one month.
Your employer, as the data controller, is responsible for your right of access and should be contacted directly to make a right of access request.
You have the right to have personal data rectified if it is inaccurate or incomplete.
As controller of your personal information, your employer ensures the accuracy of your data. Your employer checks that personal information is accurate and tells us when to update it. When provided by your employer, caboodle will rectify personal data within one month of receipt.
In some cases, if your employer prefers you to self-serve your own personal information, you will be able to update any inaccurate information yourself on the 'Personal Details' page of Salary Extras or through the contact centre.
Please contact your employer directly to make a right to rectification request, unless you can update the information yourself.
You have the right to request your personal data is deleted or removed where there is no compelling reason for its continued processing.
Where the right to erasure does not apply, your employer or caboodle will refuse to deal with a request.
You should contact your employer directly to make a right to erasure request who will contact us accordingly.
You have a right to ask us to suspend processing of personal data under certain circumstances such as,
The right to portability allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, so that you can reuse for their own purposes.
Requests made in relation to your right to data portability can be made using any of the contact methods in the 'contact us' section of this policy.
Caboodle will ensure you obtain a machine-readable copy of the information held by any caboodle Technology system according to procedure, within one month of the request being made.
You have the right to object to your data being processed under certain circumstances, such as direct marketing, or where there are grounds that relate to your particular situation
We do not complete any automated decision making or profiling.
Caboodle reserve the right to divulge information when we are required to do so by law, for example under a court order or provisions contained in legislation.
If you have any questions or concerns relating to the processing of your personal information by caboodle, please contact:
Caboodle Technology Limited
Suite 24 and 25
Edwin Foden Business Centre
Or email: firstname.lastname@example.org
Call: : (+44) 330 100 2313
We may change this policy from time to time as we add new services or features, or in response to changes in the law or our commercial arrangements. Any changes to this policy will be posted on this website. The last time this policy was updated was January 2021.