Industry Hub · Marathons, Races & Sports Events

DPDPA Compliance for Marathon Organisers and Race Photography Platforms

Bib-face matching, runner galleries, and post-event archives are biometric processing under DPDPA 2023. Enforcement is live. Penalties reach Rs 250 crore.

DPDPA 2023 treats facial geometry, bib-linked face embeddings, and runner photo archives as personal data - in most cases, sensitive biometric data. Marathon organisers, sports clubs, and race photography platforms running AI bib-face matching are Data Fiduciaries. The Data Protection Board began enforcement in 2026. Penalties reach Rs 250 crore per breach. This page maps the Act to the real event-day workflow: registration, expo, on-course capture, AI matching, gallery delivery, sponsor sharing, post-event archives.

Critical sections for Marathons, Races & Sports Events

Section 4 - Grounds for processing: bib-face matching requires consent, not legitimate useSection 6 - Notice requirements at registration and selfie uploadSection 8(4) - Security safeguards for biometric vectors on photography platformsSection 8(6) - 72-hour breach notification if runner gallery leaksSection 9 - Children's data: junior runners, kids' dashes, school relaysSection 10 - Significant Data Fiduciary duties at 50k+ runner biometric scale

Your DPDPA obligations

Granular consent for biometric processing

Bib-face matching uses facial geometry requiring explicit unbundled consent. Registration T&C checkboxes do not qualify. Build a separate notice at the moment of selfie or reference photo upload.

Section 4, Section 6

Multi-language notice

Notices must be available in English and any of the 22 Eighth Schedule languages the runner picks. Most race registration platforms today are English-only - a compliance gap.

Section 6(3)

Purpose limitation on runner photos

Photos collected to deliver a personalised gallery cannot be reused for sponsor marketing, next year's promo reel, or AI training without fresh consent for each new purpose.

Section 5, Section 7

Security safeguards for face vectors

Face embeddings at your photography vendor must be encrypted at rest, access-logged, and segregated from raw images. Public S3 buckets and unindexed gallery URLs are not safeguards.

Section 8(4)

72-hour breach notification

If galleries, face vectors, or registration KYC are exposed, the Board and affected runners must be notified within 72 hours. Build the playbook before race day.

Section 8(6)

Children's race categories

Junior marathons, kids' dashes, and school relays need verifiable parental consent before any photo or face vector is processed. Behavioural tracking and ads to minors prohibited.

Section 9

Grievance officer and DPO

Named grievance officer with India contact details on race website, bib confirmation, and gallery portal. Significant Data Fiduciaries also need a DPO based in India.

Section 8(9), Section 10

Data Processor agreements

Photography platforms, face-match SaaS, cloud storage, SMS gateways are Data Processors. Written contract under Section 8(2) mandatory before any data flows.

Section 8(2)

Common violation scenarios

Bib-face matching at 25,000-runner marathon without granular biometric consent notice at registration

Up to Rs 250 crore for invalid consent on biometric processing

Section 4 read with Section 6

Runner gallery left publicly indexable; 8,000 finisher photos scraped by aggregator within 48 hours

Up to Rs 250 crore for failure to protect personal data

Section 8(4) reasonable security safeguards

Junior 3K race processes face photos of 600 minors without verifiable parental consent at registration

Up to Rs 200 crore for processing children's data without parental consent

Section 9(1) children's personal data

Face embeddings of 50,000 runners breached at vendor; organiser misses 72-hour Board notification

Up to Rs 200 crore for failure to notify Board and data principals

Section 8(6) breach intimation

Runner deletion request via grievance officer ignored for 6 months

Up to Rs 50 crore for failure to act on principal's rights

Section 8(10) and Section 13 grievance redressal

Race photos shared with 12 sponsors as marketing dataset under bundled registration consent

Up to Rs 250 crore for invalid consent and purpose limitation breach

Section 6(1) consent must be specific and informed

Industry-specific risks

Bib-face matching AI vendors storing runner face embeddings on offshore servers without Section 16 cross-border compliance
Photo galleries indexed by Google making runner images publicly searchable by name and bib number
Sponsor-driven find-your-photo WhatsApp shares leaking runner images outside the consent perimeter
Unofficial race-photo aggregators scraping galleries within hours of event close
Junior marathon and school relay photos processed without verifiable parental consent under Section 9
Timing chip data joined with face vectors creating a re-identifiable biometric+location profile beyond original purpose

Consent capture checklist

Separate granular consent at bib registration for facial biometric processing - unbundled from race T&Cs
Notice in English plus Eighth Schedule languages before selfie or face-reference upload
Explicit opt-in for sharing runner galleries with sponsors, brands, or media - default unchecked
Verifiable parental consent for runners under 18 in junior, kids', and school relay categories
Withdrawal mechanism on app and website to delete face vector, photos, and archives within 72 hours
Published retention schedule for bib-face embeddings, raw photos, timing data (recommend max 90 days for biometrics)
Signed DPA with photography vendor, AI face-match SaaS, and cloud storage before event day
Grievance officer name, India email, phone on bib confirmation and race website footer

→ Generate a bilingual DPDPA consent form for Marathons, Races & Sports Events

Frequently asked questions

Is bib-face matching legal under DPDPA 2023?

Yes, with explicit granular consent. Facial geometry is sensitive personal data. Organisers must give a standalone notice at registration, separate from race waivers, and offer a no-photo opt-out where runners still get timing results.

Can we keep runner photos forever as a race archive?

No. Section 8(7) requires erasure once purpose is fulfilled. Biometric face vectors should be deleted within 90 days of event; raw photos retained longer only with fresh consent for archival or commercial use.

What if a runner asks us to delete their photos?

Comply within a reasonable period - industry norm 30 days. This includes face embeddings, gallery URLs, sponsor-shared copies, and social reposts you control. Document the deletion confirmation.

Does this apply to small local 5K races?

Yes. DPDPA has no minimum threshold. A 500-runner charity 10K using bib-face matching is fully in scope. Penalties up to Rs 250 crore apply regardless of size.

Who is liable - organiser or photography vendor?

Both. Organiser is Data Fiduciary; photography platform is Data Processor. A signed DPA is mandatory under Section 8(2). Organiser remains primarily accountable to the Board and to runners.

Can sponsors get runner photos for marketing?

Only with separate consent from each runner. Bundling sponsor-sharing into registration consent is invalid - the Board has flagged bundled consent as a high-priority enforcement target.

Get a Marathons, Races & Sports Events-specific compliance audit

Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.