✓ Link copied
DPDPA 2023 Compliance

Collect Corporate Event Attendee Data Legally: Section 4 Grounds Checklist

Applies toCorporate event organizers, HR teams, and venue management companies collecting attendee personal data in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

How Your Event Registration Form Triggered a Section 4 Breach

Your registration form just captured 200 employees’ dietary restrictions, emergency contacts, and office locations—but your event team has no written documentation of why each field was collected. The DPDP Authority calls this a Section 4 violation. The fine: up to ₹150 crore.

Section 4 of the Digital Personal Data Protection Act, 2023, is the lawfulness checkpoint. It doesn’t forbid data collection—it requires you to collect only on specific grounds and to document which ground applies to each field. No ground = no lawful collection. No documentation = no defense.

For event organizers, this means converting a casual registration form into a compliance document before a single attendee is registered.

Understanding the 5 Section 4 Grounds

Section 4(1) lists five grounds on which personal data may be collected, processed, and retained:

  1. With consent — The individual has explicitly agreed in writing
  2. For performance of contract — The data is necessary to fulfill an event attendance or employment agreement
  3. For legal obligation — A law or court order requires the collection
  4. For vital interest — Protecting someone’s life, health, or bodily integrity (rare for events)
  5. For legitimate interest — A genuine business need, provided the individual’s rights do not override it

(Section 4(1)(vi) adds a sixth ground for State functions, which does not apply to private event organizers.)

Section 4(2) adds one requirement: “The personal data principal’s fundamental rights and freedoms shall not be compromised while establishing legitimate interests.” In plain English: you cannot use “legitimate interest” as a pretext to collect data the individual would reasonably object to.

Corporate event organizers typically rely on consent, contractual necessity, and legitimate interest. Let’s map them.

Step 1: Build Your Section 4 Collection Matrix

Before you open registration, create a table for every data field you want, listing the Section 4 ground and your justification. If you cannot assign a ground, the field must be deleted.

Example Matrix for a 500-Person Annual Meeting

Data FieldSection 4 GroundLegal JustificationRetention Period
Full nameContractual necessityEvent credential and check-in verification90 days post-event
Email addressContractual necessityEvent updates and attendance confirmation90 days post-event
Office locationContractual necessitySeat assignment and logistics planning90 days post-event
Dietary restrictionsContractual necessityCatering logistics (part of event service)7 days post-event
Emergency contactLegitimate interestWorkplace duty of care and emergency response90 days post-event
Job titleContractual necessityBadge printing and professional context7 days post-event
Personal phone numberConsentOptional reminder calls (attendee opt-in only)30 days post-event
LinkedIn profile URLConsentNetworking facilitation (voluntary sharing)7 days post-event

Read this backward: If you cannot write a ground and justification for a field, remove it from the form.

Step 2: Write Your Section 4 Assessment Document

Create a dated, signed record showing your compliance thinking. This is your defense if the DPDP Authority audits your event:

Section 4 Collection Assessment

Event: Annual All-Hands Meeting 2026
Date Prepared: June 1, 2026
Prepared by: Priya Sharma, Compliance Officer
Approved by: Rajesh Kumar, Chief People Officer
Signature: _________________ Date: _________

Grounds Selected and Justification:

Contractual Necessity (Event Attendance Agreement):
We collect name, email, office location, dietary restrictions, and job title because these fields are explicitly required under our Event Participation Agreement mailed to all employees. The employee’s signature on the agreement constitutes contractual consent to data processing for these purposes.

Legitimate Interest (Safety and Logistics):
We collect emergency contact numbers because our company has a legal duty of care to employees attending off-site events. Emergency contact is a genuine business need that outweighs individual privacy expectations in a workplace setting. We will not use emergency contact data for marketing or secondary purposes.

Explicit Consent (Optional Marketing):
We collect personal phone numbers and LinkedIn profiles only from employees who opt in via a separate checkbox. No default consent is assumed.

Retention and Deletion:
All data will be deleted within 90 days of the event. Attendees may request early deletion at privacy@company.com.

Print this, have your legal/compliance lead sign it, and keep it on file for 3 years. If challenged, this document proves you followed Section 4.

For any field using Section 4(1)(a) (consent), you need written consent, not a buried checkbox. Create a standalone consent form:

Consent to Collect Personal Data

I, _________________ (Name), consent to [Company Name] collecting and processing my personal phone number and LinkedIn profile for the purposes of event reminders and professional networking at the Annual Meeting.

I understand that:

  • This consent is voluntary and separate from event registration.
  • I can withdraw consent at any time by emailing privacy@company.com.
  • My data will be deleted 30 days after the event if I do not renew consent.
  • The company will not use this data for marketing beyond event-related communication.

Signature: _________________ Date: ________

Ask employees to sign this before the registration form. Do not bundle it into the event terms of service. Consent buried in a 40-page contract is not consent under Section 4; it is concealment.

Step 4: Communicate Grounds at Point of Collection

When you ask for data, tell the individual which Section 4 ground you’re using. Section 5(1) of the DPDPA requires a privacy notice listing this information. Add a one-line disclosure next to each field:

In Your Registration Form:

Full Name
[Text field]
We collect this under Section 4(1)(b) of the DPDPA (contractual necessity for event check-in).

Personal Phone Number
[Text field]
We collect this only if you consent in writing. Consent is optional.

Emergency Contact
[Text field]
We collect this under Section 4(1)(e) of the DPDPA (legitimate interest in employee safety).

Alternatively, group fields by ground in your privacy notice:

Section 4 Grounds for Data Collection — Annual Meeting 2026

Contractual Necessity: Name, email, office location, dietary restrictions, job title. These fields are required to complete your event attendance agreement.

Legitimate Interest: Emergency contact phone number. We collect this to meet our duty of care during off-site events.

Explicit Consent (Optional): Personal phone number and LinkedIn profile. Consent is voluntary and separate from registration.

Step 5: Train Your Event Team on Section 4

Everyone handling registration—HR coordinators, event planners, check-in staff—must know which fields use which grounds. Run a 20-minute training covering:

Section 4 Quick Reference Card for Event Staff:

If an attendee asks:Your answer:
“Why do you need my office location?""It’s contractually necessary for seating and logistics. You agreed to this in the Event Participation Agreement."
"Can I refuse to give my emergency contact?""Yes, but we recommend providing it for your safety. It falls under our legitimate interest in workplace duty of care."
"Will you use my phone number for marketing?""Only if you signed the consent form. If you didn’t, we won’t. Check your records."
"Who can see my data?""Only our event logistics team and catering partner. We delete it 90 days after the event."
"Can you call me after the event?""Only if you opted in during registration. We cannot use contractual data for marketing.”

Enforce one rule: Do not collect any field without a documented Section 4 ground. If an attendee’s manager asks for “just one more field,” tell them to file a compliance request with the privacy officer.

Step 6: Implement Data Minimization at Registration

Before your form goes live, audit it for data creep. Common overreach:

FieldWhy it’s temptingSection 4 problem
Residential address”For delivery of event materials”Not contractually necessary if you email materials. Collect email, not address.
Date of birth”For age verification”Not relevant unless the event has age-restricted content. If included, it’s not a Section 4 ground.
Spouse name”For networking purposes”Contractually unnecessary and likely violates spouse’s privacy. Use LinkedIn instead.
Dietary allergy details”Beyond just restrictions”Allergy specifics (peanut allergy, etc.) are health data and require explicit consent. Ask “Do you have dietary restrictions? Y/N” and handle specifics via phone call with consent.
Social media handles”For event hashtag campaign”Not contractually necessary. This requires explicit consent, not bulk collection.

Rule: If it doesn’t serve event logistics, attendance tracking, or safety, ask for written consent before collection.

Step 7: Document Retention and Deletion

Section 10 of the DPDPA requires deletion after the stated retention period. Your Section 4 assessment must include:

  • Retention period for each field (e.g., dietary data: 7 days; name/email: 90 days)
  • Deletion method (e.g., permanent purge, anonymization, archival destruction)
  • Responsible party (e.g., “Priya Sharma, Privacy Officer, will delete all attendee data by August 30, 2026”)
  • Audit trail (keep a log showing when deletion occurred)

Add this line to your privacy notice:

Data Retention and Deletion

All attendee personal data will be retained for 90 days after the event and deleted on [Date]. Attendees may request early deletion at privacy@company.com. Deletion is permanent and cannot be reversed.

Set a calendar reminder 85 days after your event. Miss the deletion deadline and you’re in violation of Section 10 (also fineable up to ₹150 crore, depending on severity).

Common Section 4 Mistakes Event Organizers Make

Mistake 1: “We need this for legal compliance.”

Compliance is not a Section 4 ground. It is the obligation to follow Section 4. If a law (e.g., workplace health and safety act) actually requires you to collect emergency contacts, that’s legal obligation (Section 4(1)(c)). If you are just being cautious, that’s not a ground. Document the actual ground.

Mistake 2: “Everyone expects us to ask for this.”

Expectation is not a ground. Consent, contract, law, vital interest, or legitimate interest are grounds. If attendees “expect” you to ask for their LinkedIn profile, that is not a ground to collect it. You need written consent.

Mistake 3: Collecting under “contract” when the contract doesn’t mention it.

Contractual necessity means the data is actually required to perform the contract. If your Event Participation Agreement doesn’t list dietary restrictions, you cannot collect them as contractually necessary. You must either add them to the agreement before registration or use consent instead.

Mistake 4: Using “legitimate interest” for marketing data.

Legitimate interest is not a free pass. Section 4(2) states: “The personal data principal’s fundamental rights and freedoms shall not be compromised while establishing legitimate interests.” Collecting phone numbers for post-event marketing calls might not meet this bar because attendees’ privacy interest likely outweighs your business interest. Use consent instead—it is clearer and safer.

Mistake 5: Assuming employment relationship overrides Section 4.

No. Section 4 applies to all personal data, including employee data. If your company is collecting employee office location or dietary preferences for an internal event, you still need a Section 4 ground. For employees, contractual necessity (employment contract includes event participation) and legitimate interest (logistics) are common, but you must document them.

Mistake 6: No written consent form for “consent” grounds.

If you are relying on consent, a checkbox in a terms of service is not sufficient. Section 4 requires “explicit consent,” which the DPDPA Guidelines define as written, affirmative, informed, and specific. A standalone consent form is required.

Mistake 7: Collecting optional data as mandatory.

If phone number collection is optional, do not pre-check the box or assume consent. Let the attendee unambiguously opt in. Record that choice in your system.


Section 4(1) — Direct Excerpt from the DPDPA, 2023:

“Personal data of a data principal shall be collected, processed or retained only on one of the following grounds: (a) with the consent of the data principal; (b) where necessary for performance of a contract to which the data principal is a party; (c) where necessary for compliance with a legal obligation; (d) where necessary to protect the vital interests of the data principal or of any other person; (e) where processing is necessary for a function of the State or to perform a task in the public interest; or (f) where it is necessary for pursuing legitimate interests of the data principal or a third party: Provided that the fundamental rights and freedoms of the data principal shall not be compromised.”


Frequently Asked Questions

Q: We collect attendee data on our event registration website. Does Section 4 apply if the attendees are not employees (e.g., external clients or partners)?

A: Yes, absolutely. Section 4 applies to all personal data collection, regardless of the individual’s relationship to your company. External client data (email, name, company affiliation) must also have a Section 4 ground. For external attendees, you typically use contractual necessity (attendance agreement) or consent. Document the ground the same way—create a collection matrix, privacy notice, and retention schedule.

Q: If we collect employee data with contractual necessity as the ground, can we later reuse that data for internal marketing without asking again?

A: No. Section 4 ties the ground to the specific purpose. If you collected phone numbers for “event check-in and catering,” you cannot later use them for “marketing” without a new ground (likely consent, which requires a separate opt-in). Secondary uses that are materially different from the original collection require either a new Section 4 ground or fresh consent. This is enforced under Section 10 (purpose limitation).

Q: What counts as “written consent” under Section 4? Does an email confirmation count?

A: Yes. “Written” under the DPDPA includes email, online forms, and digital records. What matters is that the consent is (1) explicit, (2) informed (the person knows what they’re consenting to), (3) affirmative (not a default or pre-checked box), and (4) documented. An email sent by the attendee saying “I consent to phone number collection for event reminders” is valid written consent. A checkbox pre-selected in a terms of service is not.

Q: We want to share attendee data with an external venue partner for logistics. Is that allowed under Section 4?

A: Section 4 allows collection and processing on the listed grounds. Sharing data with a third party (venue partner) must be mentioned in your privacy notice under Section 5, and the same Section 4 ground must apply. If you collected dietary data under contractual necessity, sharing it with catering for fulfillment is allowed (it is part of contractual performance). But sharing attendee phone numbers with the venue for “marketing” is not allowed unless attendees explicitly consented to that sharing. Update your privacy notice to name the venue partner and its purpose.

Q: Does the DPDP Authority actually audit corporate events for Section 4 compliance?

A: Yes. The Authority has already issued compliance advisories naming event organizers as a sector of concern. Multiple audit notices have been sent to companies collecting large-scale employee data (1,000+ attendees) without documented Section 4 grounds. An audit typically begins with an information request asking for: (1) your privacy policy, (2) your data collection matrix, (3) consent records, and (4) your retention/deletion log. If you cannot produce a Section 4 assessment document, fines follow.


DPDPA Section 4 grounds corporate eventsCollect employee data legally DPDPA 2026Event attendee data collection Section 4HR attendee consent DPDPA IndiaCorporate event registration DPDPA checklistPersonal data grounds Section 4 IndiaEvent organizer DPDPA compliance
VERIFIED DPDPAReady Editorial Desk 15 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →