The Office of the Data Protection Commissioner (ODPC) has issued a draft sector-specific guidance note targeting all transport operators in Kenya, including matatus, buses, SACCOs, ride-hailing platforms, logistics firms, rail, aviation, and maritime operators.
In a statement, the office said that this proposed framework applies to both public and private entities that handle passenger and operational data and guides, and that it is in accordance with the Act and the Regulations.
“These guidance notes are intended to provide clear and concise guidance on the handling of personal data in accordance with the Act and the Regulations,” the ODPC statement read in part.
The commission explains that data breaches must be reported within 72 hours, with processors required to notify controllers within 48 hours.
Non-compliance may result in fines of up to KSh5 million or 1% of annual turnover, alongside criminal sanctions, civil liability, and possible suspension of operations.
“Failure to comply with an enforcement notice: Fine up to KES 5,000,000, or imprisonment up to 2 years, or both,” the draft read.
ODPC invited all stakeholders to review the draft guidance note and submit their comments for consideration. The regulator directed that feedback be captured using the provided template and submitted via email for official review.
The submissions are to be sent to [email protected], with the deadline set for 15th May 2026. The review process is intended to incorporate stakeholder input before finalization of the transport sector data protection framework.
ODPC Proposes Mandatory Registration for Transport Operators
Under the guidance, transport operators are classified as data controllers and processors and must comply with the Data Protection Act 2019. Registration with the ODPC is made mandatory, placing all operators under formal regulatory oversight for handling personal data.
Also Read: 184 Kenyans to Be Compensated as ODPC Cracks Down on Data Breaches
“Transport operators process personal data as part of their operations and should therefore register with the ODPC as a data controller, data processor, or both, depending on their processing activities. Registration for transport operators is mandatory as per the General Regulations,” the commission stated.
The framework addresses growing privacy risks associated with digitized transport systems, including e-ticketing, GPS tracking, mobile applications, CCTV surveillance, digital payments, and data profiling. It also addresses risks related to cybersecurity threats and unauthorized sharing of customer information.
It further captures that operators are required to adhere to core data protection principles, including lawful and transparent processing, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. Personal data must be processed only on lawful grounds, such as consent, contractual necessity, or legal obligation.
Also Read: Explained: What Happens to Your Data When Apps Shut Down in Kenya
Strict Data Handling, Breach Reporting, and Penalty Rules for Transport Operators
The ODPC guidance requires transport firms to collect only necessary data, use it strictly for stated purposes, and retain it only for limited periods. It also mandates safeguards against unauthorized access, loss, or misuse of passenger and employee data.
In the draft, strict governance measures are introduced, including the adoption of data protection policies, the appointment of Data Protection Officers where required, staff training, internal audits, and the maintenance of Records of Processing Activities. High-risk processing activities such as surveillance and location tracking require Data Protection Impact Assessments.
The framework regulates data sharing, cross-border transfers, and marketing use, all of which are allowed only with express consent and must include clear opt-out options. Data subjects, including passengers and employees, are granted rights to access, correct, delete, and object to automated decisions within set timelines.
