Eswatini Rail Link (“ESRL”) is committed to protecting the privacy of users of its website, mobile applications, and services (“our services”). This Privacy Statement (“Statement”) describes how we collect the personally identifiably information (herein after “personal information”) you provide to us. It also describes the choices available to you regarding our use of your personal information and how you can access and update this information. To better inform you of our course of action concerning user privacy, we have adopted the following principles, which adhere to the European Union General Data Protection Regulations (“GDPR”) and the South African Protection of Personal Information Act No. 4 of 2013 (“POPIA”).
The Personal Information ESRL Collects
The personal information that we collect will depend on how you are using our services:
- To enable your access to our services, we may collect personal information concerning your personal or your company’s internet protocol address or other authentication methods.
- In connection with the Contact Form, we collect your name and surname, telephone number, email address, and the message to the recipient.
- In connection with the customer interaction centre, we collect your email address and any other personal information you may provide.
- In connection with your creation of a Rail On-line account, we collect your identity number, name and surname, contact details (telephone number, cell phone number, fax number and email address) company information, postal address, username and password, account number, as well as other information you may provide.
- We may collect certain non-personal information, such as the type of browser you are using (e.g. Google Chrome, Internet Explorer etc.), the type of operating system you are using (e.g. Windows, Mac), and the domain name of your internet service provider.
- We may collect personal information through correspondence you send to us through optional surveys and in connection with statements you may post on any ESRL -related page on social media networking sites (e.g. Facebook, Twitter etc.).
We don’t knowingly collect personal information from anyone under the age of 18. If it is discovered that we have collected personal information from someone under the age of 18, we shall promptly de-identify that information.
Data Integrity and Use of Personal Information
We use the personal information collected in ways that are compatible with the purposes for which it was intended to be used: to enable your use of our services; to respond to your inquiries; for system administration, customer support, and troubleshooting purposes; for new services announcements and service updates; for service announcements; for sending newsletters; to improve the design of our website; to enable us to enforce our disclaimer; and in aggregate form, to track and analyse site usage.
Further, we may use your photograph, name and surname, any comment and affiliation in conference presentations, newsletters, and marketing and announcement materials where we have obtained your permission. We shall take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current. If you wish to opt out of our use of your personal information, see the “Your Consent; Opting Out” section below.
ESRL uses the following types of cookies:
Authentication and Security
These cookies are used when a user is seeking to access content or create or log into a user account. The cookies are also used to prevent fraudulent use of login credentials and ensure security of user data. These cookies contain information regarding the user’s institution through which the user has access and/or the user’s IP address including regional geographic information connected to such IP address.
These cookies contain information concerning features of our website to allow users to customise the way they interact with such site.
For example, when a user account has an option to save the user’s login information for future use as well as other dynamic website features.
Analytics with Third Party Cookies
These cookies are used to collect information about how users interact with the ESRL website. This information is also used to compile reports to assist us to improve the website, including reports on the number of visitors to the site, where the visitors have come from, and what pages the users visit on the site. Third party cookies may also be used to assist users with support and diagnose identified issues with our website.
Other Tracking Technologies and Automated-Decision Making Practices
As with most websites, we gather certain information automatically and stores it in log files. This information may include internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We link this automatically collected data to other personal information we collect about you.
Through this Statement, we will notify individuals of any automated-decision making practices we may engage in regarding personal information, including the logic involved, and the significance of the decision as well as the consequences for you. We also will ensure that you may opt out of such automated-decision making practices.
Onward Transfer of Information
We may work with other organisations that provide specific services for us, such as banking. We shall provide only the personal information necessary for the third party to provide these services for us. These organisations may not use personal information except for the purpose of providing these services.
We may also transfer personal information to third parties, including third parties located internationally, such as other rail companies who can better assist with your inquiries, to facilitate order fulfilment, and to enable them to inform users of services provided by us and/or the third parties’ products and services that may be of interest. We require that these parties agree to process such information based on our instructions and in compliance with this Statement, and any other appropriate security measures. In addition, when transferring personal information that is subject to the GDPR, we require a GDPR-approved transfer mechanism to be in place, such as Binding Corporate Rules or Privacy Shield Certification.
We don’t not sell or share personal information about or the rail service history of customers, except as set forth above and in the following circumstances:
- In certain situations, we may be required to disclose personal information in response to lawful requests made by public authorities, including to meet national security or law enforcement requirements. If required to do so by law; or if we believe in good faith that such action is necessary to comply with the law or a legal proceeding; or to protect against violations of our Disclaimer; or to protect and defend our rights and property or the rights and property of rights holders whose content is made available through our website; or with service providers with whom we have entered into agreements to assist us with our business operations; such personal information may be disclosed.
- If we are involved in a merger, acquisition, or sale of all or a significant portion of its assets, you will be notified via email and/or a prominent notice on our website of any change in ownership or uses of your personal information, as well as any choices you may have regarding your personal information.
In addition, we may share general usage data in aggregated form so that no personal information is identifiable to participating institutions, content providers, researchers, and the general public. We shall provide you with all of your retained personal information provided at registration (where applicable) on request.
Your Consent; Opting Out
By using our services, you consent to the collection and use, in accordance with this Statement, of the information you provide to us. We shall remove you and your personal information from our records or refrain from using your personal information in connection with certain services on request if you contact us with your requests by utilising the Contact Us mechanisms on our website. Please note that this may prevent you from accessing our services if we require this information in order to perform in terms of our agreement/s we have with you.
You may choose to stop receiving any of our communications or marketing emails by utilising the Contact Us mechanisms on our website.
We protect your personal information from unauthorised access and disclosure through the use of account numbers, passwords, physical security measures, and managerial measures. We nonetheless recognise that third parties may obtain access to information through unlawful actions, and thus do not promise that your information will always remain private, despite our best efforts and the importance we place on maintaining your privacy. In addition, we do not claim any responsibility for information collected by or from website or mobile applications linking to or from our website or mobile applications.
In the event that we discover or are notified of a security breach where personal information is at risk, we will notify you electronically if we have your email address. If you do not wish to be notified via email in the event of a breach, please contact us by utilising the contact mechanisms on our website.
Access, Erasure, and Correction
Upon request, we shall provide you with information about whether we hold any of your personal information. If you would like to review, delete or update your information, you may contact us utilising the Contact Us mechanisms on our website. We shall permit you to correct, amend, or delete information that is demonstrated to be inaccurate. We shall respond to your request within a reasonable timeframe. Please note, because of the way we maintain certain services, after you delete or amend your information, residual copies may take a period of time before they are deleted from our active servers and may remain in our backup systems.
You will need to provide sufficient identifying information, such as your name and email address and possible additional identifying information as a security precaution.
We will retain your personal information for as long as your account is active, or as needed to provide you with our services, or required by law. If you wish to cancel your account or request that we no longer use your personal information to provide you with services, contact us by utilising the Contact Us mechanisms on our website. We will retain and use your personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Enforcement and Dispute Resolution
We engage in periodic self-assessment to ensure compliance with this Statement. We verify that the Statement is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented, and where applicable, in conformity with the GDPR and POPIA. We encourage interested persons to raise any concerns with us utilising the contact mechanisms on our website. We shall investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal information in accordance with the principles contained in this Statement.
If you have an unresolved privacy or data concern that we have not addressed satisfactorily, European Union data subjects may seek an administrative or judicial remedy or to lodge a complaint with a supervisory authority, in particular in the member state of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. Information on how to file such a complaint is available here: http://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm
For South African data subjects, information on how to file a complaint in relation to POPIA, or to contact the Information Regulator, is available here: http://www.justice.gov.za/inforeg/.
Notification of Privacy Statement Changes
We may update this Statement to reflect changes to our information practices. If we make any change in how we use your personal information, we shall notify you by way of a communication on our website. We encourage you to periodically review this Statement for the latest information on our privacy practices.
If you have any inquiries about this Statement or its implementation, you may contact us by utilising the Contact Us mechanisms on our website.