Process Participant Data Legally: 5 Section 4 Compliance Steps for Marathon Organizers
| Applies to | Marathon Organizers & Sports Event Management Companies operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
What Section 4 Requires for Marathon Organizers
A runner registers for your half-marathon: name, email, emergency contact, medical history, race bib number. That personal data is now your responsibility under DPDPA Section 4—and mishandling it can trigger ₹150 crore in penalties.
Sports event organizers routinely collect participant information—contact details, health disclosures, emergency contacts, location data from GPS tracking, photos and video from race coverage. Yet many lack a structured process to ensure Section 4 compliance. The result: unprotected databases, missing consent records, and unnecessary legal risk.
This guide walks you through the five critical compliance steps that Section 4 requires for marathon organizers, so you can process participant data lawfully and deliver great events.
Section 4 of the DPDPA establishes that personal data may only be processed when there is a lawful basis for doing so. The law recognizes that marathon organizers have legitimate reasons to collect participant information—but only if you’ve identified a legal ground for each data element you collect.
The DPDPA frames lawful grounds for processing as follows:
Personal data shall be processed on the basis of consent or such other grounds as may be specified by the Board under Section 4.
This means: before you collect a participant’s name, medical history, or photo, you must identify which of these grounds justifies the collection:
- Consent: Participant explicitly agrees to data collection
- Performance of contract: Data needed to fulfill the race registration agreement
- Legal obligation: Data required by law (e.g., health reporting requirements)
- Legitimate interest: Data necessary for event safety or operations (emergency contact, for instance)
For marathon organizers, every data point must fit into one of these categories. If it doesn’t—if you’re collecting data “just in case” or for unspecified future uses—you’re violating Section 4.
5-Step Section 4 Compliance Process for Marathon Operators
Step 1: Create a Data Inventory for Your Marathon Operations
List every personal data point you collect:
- Registration data: name, email, phone, date of birth, gender
- Address (for bib mailing)
- Emergency contact details
- Medical information (allergies, health conditions, medications)
- Payment information (if you process registration fees)
- Race photos and video
- GPS/timing chip location data
- Social media handles
- Dietary preferences or accessibility needs
Action item: Build a spreadsheet with columns: Data Element | Collection Point | Purpose | Lawful Ground | Retention Period | Who Accesses It.
Step 2: Assign a Lawful Ground to Each Data Element
Section 4 requires that you identify a legal basis for every data point. This is mandatory—you cannot collect data without justification.
| Data Element | Legal Ground | Justification |
|---|---|---|
| Name, email, phone | Performance of Contract | Needed to register, send race details, communicate results |
| Age/date of birth | Performance of Contract + Legitimate Interest | Required for age-group categories; confirms eligibility |
| Medical history (allergies, medications) | Consent + Legitimate Interest | Participant consents to sharing with medical staff; organizer has legitimate interest in preventing medical incidents on-course |
| Emergency contact | Legitimate Interest | Organizer must reach someone if participant has a medical event |
| Race photos/video | Consent | Not necessary for the race itself; photo use requires explicit consent |
| GPS location data | Consent + Performance of Contract | Timing/tracking system requires consent; necessary for real-time results and safety |
| Social media handles | Consent | Optional; only if participant agrees to be tagged/featured |
Action item: Review this table with your legal advisor. Confirm the ground for each data type. If you cannot justify a ground, remove that data collection requirement.
Step 3: Draft Granular Consent Forms Aligned with Section 4
Where consent is required, Section 4 mandates that it must be freely given, specific, informed, and unambiguous. This means:
- Each consent request must be separate (not bundled)
- Participants must understand what they’re consenting to
- There must be a clear mechanism to withdraw consent later
Sample consent language (adapt for your event):
Mandatory for Registration:
- I wish to register for [Marathon Name] and agree to provide my contact and emergency information for race operations.
Optional – Health Data Sharing:
- I consent to [Marathon Name] collecting and sharing my health information (allergies, medications, conditions) with on-course medical staff only in the event of a medical emergency during the race.
Optional – Race Photography:
- I consent to having my photo and video taken during [Marathon Name] and to [Marathon Name] using these images on social media, in promotional materials, and on the race website for one year after the event.
Optional – Sponsor Communications:
- I consent to [Marathon Name] sharing my email address with race sponsors for promotional offers and event information. (I can unsubscribe anytime.)
Optional – Location Tracking:
- I consent to GPS/timing data collection for real-time race tracking and safety monitoring during the race.
Action item: Separate your registration form into mandatory fields (registration, safety) and optional fields (photos, tracking, sponsor sharing). Present each consent separately. Record timestamps or submission proof of each participant’s choices.
Step 4: Set Retention Limits and Automate Data Deletion
Section 4 requires that data be retained only as long as necessary (“data minimization”). Create a deletion schedule:
| Data Type | Retention Duration | Why Delete After |
|---|---|---|
| Contact info (name, email, phone) | 2 years | Covers results queries, bib replacements, historical records |
| Medical history | 30–60 days post-event | Safety period expires; ongoing retention creates unnecessary privacy risk |
| Race photos | Until promotional use ends (typically 6–12 months) | Organizer’s promotional interest fades; honor privacy |
| GPS tracking data | During race only | No purpose after event; delete same-day to minimize breach risk |
| Payment data (if collected) | Per PCI-DSS (<90 days) | Compliance with payment processor standards |
Action item:
- Document this schedule in writing
- Set calendar reminders to delete old data
- Train staff on the deletion protocol
- Keep a log of deletion dates and quantities (e.g., “Deleted 5,000 medical records on 2026-08-15”)
Step 5: Maintain Section 4 Compliance Records
If a regulator audits you or a participant files a complaint, documentation is your proof of compliance. Maintain:
- Data Processing Register: Spreadsheet listing all data types, grounds, retention, access
- Consent Records: Screenshots, timestamps, or submission logs proving participants consented
- Retention & Deletion Log: Dates when data was purged, who authorized it
- Access Control List: Names of staff who can view sensitive data (medical info, addresses) and why
- Breach Response Plan: What you’ll do if participant data is leaked or stolen
Action item: Create a folder (physical or digital) labeled “DPDPA Compliance” and store these five documents. Update after each race.
Common Section 4 Violations Among Marathon Organizers
Collecting Data Without a Specified Ground: A marathon form asks for home address, employer, and spouse contact—“just in case we need to reach you.” But you never use these fields. Section 4 breach: Data collected without a lawful ground. Fix: Ask only for data necessary for registration and safety. Remove fields you don’t use.
Hidden or Bundled Consent: Your registration checkbox reads, “I agree to all terms” (500 words of legalese). Buried inside is consent for photo use and sponsor data sharing. Section 4 breach: Consent is not freely given if it’s hidden or bundled with mandatory registration. Fix: Use separate, clear consent requests. Participants see what they’re agreeing to.
Indefinite Data Retention: You collected medical data from 3,000 participants in 2024. It’s now 2026, and that data still sits in a file—never deleted, never secured. Section 4 breach: Retention beyond necessity violates data minimization. Fix: Delete medical data 30–60 days post-race. Document your deletion policy and stick to it.
Sharing Data Without Lawful Ground: You partner with a sports nutrition brand and email them your 5,000 participant emails so they can send “race-day tips.” Participants didn’t consent, and no contract required it. Section 4 breach: Data sharing without a lawful ground. Fix: Obtain explicit consent before sharing participant data with sponsors. Offer opt-in, not opt-out.
Frequently Asked Questions
Q: Can I include a participant’s photo in race coverage if they didn’t explicitly consent?
A: No. Section 4 requires a lawful ground for every use of personal data, including photos. If a participant did not consent to photography, you cannot include their image in event coverage, social media, or promotional materials—even incidentally. The safest approach: obtain granular consent before the race and respect all opt-outs.
Q: How long must I keep medical data after the marathon ends?
A: Section 4 does not specify an exact timeline, but requires data to be kept only “as long as necessary.” For medical data collected during a race, a 30–60 day retention window is reasonable—long enough to handle medical incident follow-ups and participant inquiries, but short enough to minimize privacy risk. Anything longer than 90 days is hard to justify unless you have a documented legal obligation or specific safety need.
Q: Can I share the participant list with sponsors for marketing if the fine print of my terms allows it?
A: Only if you obtained explicit, granular consent from each participant. Section 4 prohibits bundled or hidden consent. If your consent form says, “I agree to contact from sponsors,” and a participant ticked that box, they can be contacted. Those who didn’t tick it must not receive sponsor emails, even if the legal terms mention sponsor contact. Maintain a record of who consented and who didn’t.
Q: What should I do if a participant’s medical data is exposed in a data breach?
A: Notify the participant without undue delay—ideally within 72 hours. Document what data was exposed, how the breach occurred, and what steps you’ve taken to prevent future breaches. Notify relevant authorities if required (state data protection authority, if one exists, or the central regulator). While Section 4 does not explicitly require breach notification, best practice and emerging DPDPA enforcement norms expect it. Maintain a written breach response plan.
Q: Is Section 4 the only DPDPA section I need to worry about as a marathon organizer?
A: Section 4 is your primary compliance focus—it governs the legal grounds for processing participant data. However, you should also understand Section 5 (consent mechanisms), Section 12 (right to erasure/deletion), and Sections 8–9 (which specify penalties for breaches). A strong Section 4 compliance program will naturally support compliance with these sections, too. Start with Section 4, then expand your knowledge of the full act.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →