✓ Link copied
DPDPA 2023 Compliance

Corporate Events Section 4 Notice: 7-Point Disclosure Checklist & Template

Applies toCorporate event organizers, HR consultants, and employee engagement platforms operating in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation under Schedule 1, DPDPA 2023 (Section 4 notice breach)
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

What Section 4 of the DPDPA 2023 Mandates

Your company registers 300 attendees for the annual stakeholder conference in Delhi. Under Section 4 of the DPDPA, you must provide written notice to each registrant before collecting their name, email, phone number, and dietary preferences. Fail to include even one required element, and you’re liable for penalties up to ₹150 crore.

Section 4 imposes a notice requirement on every organization collecting personal data. Before you gather names, emails, phone numbers, dietary preferences, or job titles from event attendees or employees, you must provide a written notice containing specific information.

The Act states:

“Before collecting any personal data, a data fiduciary shall provide, in such form as may be prescribed, a notice to the data principal containing the identity and contact details of the data fiduciary, the purpose of collection, intended recipients, duration of retention, and the rights of the data principal under this Act.”

Section 4, Digital Personal Data Protection Act, 2023

What “notice” means: Not a buried link in your privacy policy. Not a checkbox that says “I agree to terms.” Section 4 demands upfront, clear, written disclosure before data collection begins. For corporate events, this translates to:

  • Email confirmations before registration is submitted
  • Registration form disclosures before the “Submit” button
  • Pre-event communications that recap what data you’re using and why

Scope for corporate events:

  • Attendee registrations (name, email, phone, company, designation)
  • HR survey data (feedback, performance input, engagement scores)
  • Employee directory uploads (job title, reporting structure, salary bands)
  • Vendor management (contact details, historical engagement, project participation)
  • Post-event follow-ups (photos, video recordings, testimonials)

Penalty for breach: Negligence or willful violation of Section 4 attracts penalties up to ₹150 crore under the DPDPA Schedule. A single corporate event with hundreds of registrants could trigger penalties per violation—meaning one event, one thousand attendees, one thousand separate breaches if notice is absent or deficient.


The 7-Point Section 4 Notice Template

Use this checklist to draft your corporate event notice. Include all 7 points in your registration email, form header, or event webpage before attendees submit data. Each element is non-negotiable; omitting one constitutes a Section 4 breach.

The 7 Mandatory Elements

1. Your Organization’s Full Legal Name & Contact Details

  • Example: “Acme Corporate Events Pvt Ltd, registered at 123 Sector 22, Noida, UP. Contact: compliance@acme.co / +91-XX-XXXX-XXXX”
  • Why it matters: Attendees must know exactly who is collecting their data and how to reach you with complaints or requests.

2. The Specific Personal Data You’re Collecting

  • Example: “We collect: first name, last name, professional email, mobile number, company name, job title, dietary restrictions, and the date you register.”
  • Why it matters: Vagueness (“we collect information about you”) violates Section 4. Name every field, including optional ones.

3. The Purpose of Collection

  • Example: “Purpose: To register you for the conference, send event schedules, arrange catering, conduct post-event surveys, and contact you with event updates.”
  • Why it matters: Section 4 requires this explicitly. Attendees must understand why you need their dietary preference or job title.

4. Who You’ll Share This Data With (Intended Recipients)

  • Example: “Recipients: Our venue partner (for catering coordination), the photography vendor (for event media), and our internal event team. We do not sell attendee lists.”
  • Why it matters: Transparency about third parties is non-negotiable. Attendees must know if their data goes to external parties.

5. How Long You’ll Keep the Data (Duration of Retention)

  • Example: “Retention: We keep registration data for 3 years post-event for attendee records and tax compliance. Photographs are kept for 5 years for marketing use. You may request deletion anytime.”
  • Why it matters: No indefinite retention. Section 4 demands clarity on storage duration and deletion rights.

6. The Data Principal’s Rights Under the DPDPA

  • Right to access their personal data
  • Right to correct inaccurate data
  • Right to erasure (deletion)
  • Right to data portability
  • Right to grievance redressal
  • Example: “You have the right to request access to, correction of, or deletion of your personal data by emailing dpo@acme.co within 30 days.”
  • Why it matters: Section 4 makes this mandatory. Failing to state rights is a direct breach.

7. Grievance Officer Contact Information

  • Full name, designation, email, and phone
  • Response time commitment (e.g., “We will respond within 30 days”)
  • Example: “Grievance Officer: Rajesh Kumar, Email: grievances@acme.co, Phone: +91-XX-XXXX-XXXX, Response time: 30 days.”
  • Why it matters: Section 4 requires a mechanism for complaints. A single grievance contact with clear timelines is defensible.

Fill-in-the-Blank Notice Template for Your Event

Copy this template and populate the bracketed fields. Use this in your event registration email or form header:

Dear [ATTENDEE_NAME],

We look forward to having you at [EVENT_NAME] on [EVENT_DATE] in [CITY].

Before we register you, here is what we collect and why:

Organization: [YOUR_ORGANIZATION_FULL_NAME], registered at [YOUR_ADDRESS], India.
Contact: [YOUR_EMAIL] / [YOUR_PHONE]

What We Collect:
[LIST EACH FIELD: name, email, phone, company, job title, dietary preference, etc.]

Why We Collect It:
We collect this data to [DESCRIBE PURPOSE: register attendees, arrange catering, send event updates, conduct surveys, etc.]. We do NOT use this for marketing emails or third-party promotions beyond [SPECIFY IF ANY].

Who We Share It With:
[VENUE_NAME], [CATERING_PARTNER], [PHOTOGRAPHER/VIDEOGRAPHER], and [ANY OTHER THIRD PARTIES]. We do not sell your data to external parties.

How Long We Keep It:
Registration data: [X years]. Event photographs: [X years]. You can request deletion anytime by emailing [DPO_EMAIL].

Your Rights:
You can request access to, correction of, or deletion of your personal data anytime. Email our Data Protection Officer at [DPO_EMAIL].

Questions or Complaints:
Grievance Officer: [NAME], [DESIGNATION]
Email: [GRIEVANCE_EMAIL]
Phone: [GRIEVANCE_PHONE]
Response time: 30 days.

By registering, you confirm you have read and understood this notice.

Best regards,
[YOUR_NAME], [YOUR_TITLE]
[ORGANIZATION]

How to Implement This Across Your Events Calendar

Phase 1: Audit Your Current Practices (Weeks 1–2)

  1. Pull your last 5 event registration forms and review what data you’re collecting.
  2. List every field: name, email, phone, company, dietary restrictions, photos, LinkedIn profile, emergency contact, etc.
  3. Check your current privacy policies. Are they 5+ pages of legal boilerplate? Section 4 requires specific, plain-language notice before collection—not buried in page 8.
  4. Identify all third parties: venue, caterer, photographer, videographer, AV vendor, survey tool, email platform, ticketing system.

Phase 2: Draft Your 7-Point Notice (Weeks 2–3)

  1. Fill in the template above with your organization’s details.
  2. Keep it under 300 words. Attendees won’t read a 2-page legal document.
  3. Get your legal team to sign off—not to rewrite it into jargon, but to confirm accuracy and check that all 7 elements are present.
  4. Store the signed notice in a shared folder (e.g., G Drive, SharePoint) dated and versioned (v1.0, v1.1, etc.). Include effective date and last update date.

Phase 3: Embed the Notice in Your Registration Flow (Week 3)

  • Email registration workflow: Send the notice in the confirmation email immediately after ticket purchase, before any data processing occurs.
  • Online registration form: Add the notice in a separate section above the “Submit” button, or as a collapsible accordion. Require a checkbox: “I have read and confirm the data notice.”
  • Physical registration (in-person events): Print the notice and hand it to attendees at check-in with a verbal summary from staff.
  • Post-event follow-ups: If you’re sharing photographs or conducting surveys, send a fresh notice before collecting that new data.

Phase 4: Create Your Grievance Process (Week 4)

  1. Assign a Data Protection Officer (DPO) or designate an existing HR/Compliance team member.
  2. Create a dedicated email inbox: dpo@[yourcompany].com or grievances@[yourcompany].com.
  3. Set up a 30-day response template in your email management system.
  4. Document: Who receives complaints? Who investigates? Who approves the response?
  5. Maintain a log of every grievance, even if it’s to say “reviewed and no breach found.”

Phase 5: Train Your Event Team (Ongoing)

  • Ensure everyone handling registrations understands that Section 4 notice is not optional—it’s a legal requirement before collection.
  • Share a one-page quick reference: “Before collecting data, show the notice.”
  • Conduct a 15-minute review at the start of each event season.

Frequently Asked Questions

Q: Do I need to send a separate notice for every event, or can I use a blanket notice?

A: You need a notice per collection purpose or event. If your annual conference collects data for a different reason than your monthly HR survey, send separate notices. You can use a template and customize fields, but the notice must be accurate to that specific collection. A blanket notice that says “we collect data for various events” is too vague and violates Section 4.

Q: We use a third-party event platform like Eventbrite. Are we compliant if the platform shows its privacy policy?

A: No. Eventbrite’s privacy policy is their notice to attendees, not yours. You are the “data fiduciary” responsible for your event, so you must still provide your own notice listing your recipients (including Eventbrite), your retention period, and your grievance contact. Add the notice to your event description or send it via email before registration opens.

Q: Can we collect data through a form without showing the notice if we collect it verbally at check-in?

A: No. Section 4 requires notice before collection, regardless of method. Whether you collect data online, on paper, or verbally, you must provide the notice first. At physical events, provide printed notices at the entrance or during registration. Verbal collection without prior notice is a breach.

Q: How specific does the “intended recipients” section need to be?

A: Specific enough that attendees know who will see their data. “We share with our vendors” is too vague and fails Section 4. “We share your name, email, and company with our venue partner, Taj Convention Centre, for catering and logistics coordination” is compliant. If you’re not sure whether to name a vendor, ask: Would an attendee want to know this before registering? If yes, name it.

Q: If we collect job titles for post-event surveys, is that a separate collection that needs a new notice?

A: Yes. If attendees didn’t expect you to use their job title for surveys when they registered, that’s a new purpose and potentially new recipients (the survey tool provider). Send a fresh notice before the survey email goes out, reminding them what data you’re using and why. Section 4 applies every time you initiate a new collection activity.

Section 4 DPDPA notice requirementCorporate events attendee data disclosureHR employee data collection compliance IndiaDPDPA notice template corporate eventsAttendee registration Section 4 noticeCorporate event compliance checklist DPDPAPersonal data notice corporate events India
VERIFIED DPDPAReady Editorial Desk 23 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →