SANRAL Privacy Policy Statements

This Privacy Policy explains how SANRAL collects, processes, protects, and manages stakeholder personal and sensitive information in compliance with POPIA and other legislative frameworks.

1. Introduction

SANRAL takes the Privacy of Sensitive and Personal Information of all its stakeholders seriously. SANRAL understands that sensitive and personal information is important to all stakeholders and is committed to protecting stakeholder privacy. SANRAL’s Privacy Policy incorporates relevant legislation as a guideline on how sensitive or personal information should be treated in as far as it relates to the following:

  • Data Collection.
  • Data Retention & Security.
  • Data Usage & Disclosure.
  • Data Accessibility.
  • Data Correction.
  • Data Breach Procedures.

2. Information Collected By SANRAL

SANRAL generally collects some or all the following sensitive/personal information or a combination of internal and/or external sources (e.g. employment data, toll systems, suppliers or from third parties). Information collected relates specific to information acquired for specific business purposes:

  • Name including any use of a pseudonym.
  • Address, phone details and email contact details.
  • Employment history.
  • Vehicle Information.
  • Bank account details.
  • Financial information.
  • National identifiers.
  • Referee opinions.
  • Interview opinions, and
  • Any other information that is supplied on documentation, electronically based systems or in communications with an SANRAL representative.
    • Other information gained for business purposed may include but not limited to these:
      • Identification Number.
      • Vehicle owner information.
      • Vehicle information, and
      • Any personal information.
      • Credit card information.

3. How SANRAL Obtains Data

Information acquired from other entities, including our Service Providers, third parties, government agencies, and toll agencies and operators. Information is obtained when motorists use The Toll Roads, the systems will automatically collect certain information, which may be Personal Information, including:

  • The toll road used, along with the date, time, and lane of travel.
  • Transponder unique identifier (e.g., the transponder number).

Information customers provide directly to SANRAL or its service providers using our Website, App(s), and interactions with SANRAL – including creating or managing an account – customers may provide the following categories of information, which may include Personal Information, such as:

  • Identifiers - name and other similar information (for example, first and last names, email address[es], mailing address[es], phone number[s]).
  • Account numbers as assigned to customers.
  • Transponder numbers as assigned.
  • Transaction and payment information.
  • Vehicle information registered to customer accounts (for example, the vehicle type, license plate number, registration, year, make, model, colour, and clean expiration date).
  • Data entered when paying and/or calculating a toll on our Website or App.
  • Responses to surveys and promotional events (such as responses to questions and interactions with us on social medial or through surveys provided to customers).
  • Correspondence and communications information (for example, records of information provided by customers when you contact us, including audio and electronic information).

Information About transactions with SANRAL through toll systems when customers make payments, payment information is collected, such as the date, type, amount, and category of any payment. Additionally, when customers provide financial, credit or debit card payment information, relevant data is collected for processing payment like what is listed above

Other Sources Outside of SANRAL’s direct interactions with customers or third parties in order to carry out our business functions including billing, accounting, enforcement, operation, and management of The Toll Roads. Information – including Personal Information – from the following sources (collectively “Other Sources”):

  • eNatis.
  • Service Providers.
  • Law enforcement.
  • Government records or other publicly accessible directories and sources.
  • Public record and information service providers .

Other Sources shall include the following for internal/external for relevant business processes:

  • Employee management, include the screening of curriculum vitae.
  • Individuals utilizing the SANRAL website, and
  • Law enforcement.
  • business purposes, including communication by phone, fax, email, in person or other method of communication (i.e. eNatis).
    • Individuals and companies who transact with SANRAL through the use of toll systems as a customer or road user.
    • Individuals and companies who provide services to SANRAL as contractors and or service providers across various service areas locally and abroad.

SANRAL may also, with consent from the data subject, collect personal information from third parties including:

  • Reference checks with referees, and
  • Through networking with peers.

4. Purpose Of Collection

SANRAL collects sensitive and personal information about stakeholders to carry out its business functions and fulfil its obligations. These may include (but are not limited to):

  • The pursuit of legitimate business objectives.
  • Complying with government legislation (e.g.: Employee information of contractors or third parties, SANRAL collects Income tax and Value Added Tax numbers to comply with taxation requirements);
  • Meeting employment obligations to contractors and employees, which may include the processing of sensitive information (e.g.: Identification numbers, salary, age, disability and gender).

In addition, SANRAL may occasionally be required by law to collect, use and disclose personal information, for example in order to comply with the requirements of government departments for business data, or in support of a criminal investigation.

5. Collection, Use & Disclosure Of Sensitive/Personal Information

Information is only collected or disclosed when lawful, authorised, consented to, or legally required. SANRAL may share information with:

  • If it is lawful to do so.
  • By individuals authorised to do so in the course of their duties.
  • With the knowledge of the data subject of the personal data / information, unless directed otherwise by legal authority, or
  • Either with the express or implied consent of
    • The data subject.
    • Guardian of the data subject of the personal data / information, or
    • individual legally authorised to act on behalf of the data / information subject, or
  • In order to satisfy a legitimate commercial purpose, or
  • If required to do so meet a legislative or regulatory obligation

Sensitive and Personal information may be disclosed to:

  • Staff of SANRAL responsible for administering the processes described above.
  • Health service providers in the event of the administering of emergency health services.
  • related bodies and third parties for the administration and provision of selected benefits and services but not limited to these (e.g.: debt recovery, training or policy administration), and
  • Statutory authorities that may require personal information as per legislative requirements.

SANRAL may collect only the personal data / information for the execution of SANRAL’s operations and achievement of its goals

6. Access, Correct Or Update Personal information

SANRAL must take reasonable steps to ensure the accuracy of the personal data / information provided.

To the extent authorised by privacy legislation, SANRAL must provide data subject access to review and amend personal information held by SANRAL. This may be for a reasonable administration fee, via existing communication channels.

7. Security Of Personal Information

SANRAL must take all reasonable steps to ensure that sensitive and personal information is held in a secure environment accessed only by authorised persons for approved business purposes.

SANRAL will maintain sufficient security measures to ensure that the integrity and confidentiality of personal information held and/or processed by it is protected. These responsibilities will include sufficient measure to prevent the loss of, damage to, or unauthorised access to such personal information. In giving effect to these requirements SANRAL ensure the presence of suitable measures to:

  • Identify all reasonably foreseeable internal and external risks to personal information held by SANRAL.
  • Establish and maintain appropriate safeguards against the risks identified above.
  • Regularly review these measures to ensure that they are implemented effectively, and
  • Ensure that these safeguards are consistently reviewed and updated where necessary to keep up to date with the ever-evolving risks associated with the storage and processing of personal information.

SANRAL staff, contractors, third parties are expected to populate and maintain the Identification of Information collected and processed by SANRAL referenced in Table1.

8. Notifiable Data Breaches

SANRAL recognises the legislative requirements of the reporting of any breaches of personal data / information. As part of storing personal data / information, SANRAL accommodates data security within its ICT framework.

SANRAL will use its resources to the best of its capabilities to prevent any personal information stored in its database(s) being passed to unsolicited third parties. Unfortunately, SANRAL cannot provide a 100% guarantee that personal / sensitive information stored will not be obtained by unsolicited third parties. Examples of data breaches may include (but not limited to)

  • Hacking of a database(s) where contractor or employee sensitive data is stored.
  • Disgruntled employees that have access to such information disclosing information to unsolicited parties.
  • Fake email communications directing payment to an incorrect bank account.
  • Disclosure of login details and passwords to other people, or
  • Printed or soft copy information not being handled, stored or discarded correctly (e.g. resumes and other information dropped in a normal paper waste bin rather being shredded).

In cases where SANRAL has evidence that personal information has been obtained by unsolicited parties, SANRAL will:

  • Identify the cause of the breach.
  • Limit any further effects of any breach.
  • Remedy the breach.
  • Inform affected individuals.
  • Report any breaches to any relevant statutory authorities as required, and
  • Ensure SANRAL enacts any further processes depending on the nature of the breach.
  • Section 2.4 deals with any non-compliance with this policy. SANRAL takes compliance with this policy seriously. Failure to comply puts both data subject and the organisation at risk and will lead to disciplinary action which may result in dismissal.

9. Education & Awareness

SANRAL will incorporate the Privacy Policy into its induction pack, provide privacy training to staff dealing with personal data / information, and communicate privacy principles to all staff using awareness programs.

10. Privacy Inquiries

Stakeholders may contact the Executive responsible for Information Technology if they wish to:

  • Request access to, find out more about or seek amendment of personal data / information held by SANRAL.
  • Such requests for access shall be considered under applicable laws and regulations governing private information such as those referenced under 3.11 and 3.12.
  • Inquire generally about privacy rights and obligations.
  • Provide suggestions or feedback in respect of SANRAL’s handling of personal information, or
  • Make a complaint in relation to SANRAL handling of personal information.

11. Associated Policies

  • 4046032 - Information Classification & Handling Policy
  • 4046131 - Internal Privacy Policy
  • 2754930 - Information Technology Governance Framework
  • 4349160 - Global Information Security Policy
  • 5391220 - HRP024 - Employee Information Privacy Policy

12. Legislative Framework

  • The Protection of Personal Information Act 4 of 2013 (“POPIA”)
  • The Promotion of Access to Information Act, 2000
  • The General Data Protection Regulation (EU) 2016/679 (GDPR)

Table 1: Identification of Information collected and processed by SANRAL

Identification of Information collected and processed by SANRAL, Staff, Contractors and Third Parties
Data collected by Third Party Type of information collected (Sensitive, Confidential, Public etc.) Reason for data collection Where do we store this information? Contractual agreement in place? Do you send this data to any other parties? Reason for sending the data to another party Name the parties to which you send the data Updated by