Kenya: Office of the Data Protection Commissioner closes consultation on draft Guidance Note to the Transport Services Sector

On 15 May 2026, the Kenya Office of the Data Protection Commissioner closes the consultation on the draft Guidance Note to the Transport Services Sector. The draft Guidance Note applies to all transport operators in Kenya, including public transport providers, private bus and matatu companies, matatu SACCOs, freight and logistics firms, taxi-hailing and ride-hailing platforms, rail operators, aviation service providers, and maritime operators. The Kenya Office of the Data Protection Commissioner issues the draft Guidance Note under the Data Protection Act No. 24 of 2019 and its attendant regulations. The draft Guidance Note would set out the data protection obligations of transport operators acting as data controllers and/or data processors, covering the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability, as well as the lawful bases for processing personal data. The draft Guidance Note would further address compliance obligations, including mandatory registration with the Kenya Office of the Data Protection Commissioner, appointment of a Data Protection Officer, data mapping and Records of Processing Activities, privacy by design and default, data breach notification, Data Protection Impact Assessments, engagement of data processors, cross-border data transfers, data localisation under Regulation 26 of the Data Protection (General) Regulations 2021, and the use of personal data for commercial purposes. The draft Guidance Note would additionally set out data subject rights and the consequences of non-compliance, including administrative penalties of up to KES 5 million or 1% of annual turnover, whichever is lower, criminal penalties of up to KES 3 million or 10 years' imprisonment, and civil liability for compensation to affected data subjects.