✓ Link copied
DPDPA 2023 Compliance

Section 4 Compliance Checklist: Personal Data Collection in Marathons & Sports Events

Applies toMarathon organizers, sports event management companies, race operators handling participant registration and data collection
Primary lawDPDPA 2023 · Section 4
Penalty ceiling₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

Why Section 4 Fails Marathon Organizers (And What It Requires)

A 15,000-runner half-marathon in Mumbai collects names, emails, ages, medical conditions, emergency contacts, and payment data through its registration form. Two weeks later, the organizer receives a notice from the Data Protection Authority: the registration form didn’t disclose the grounds for collecting health information, and participants couldn’t tell where their data would be stored. ₹150 crore penalty exposure—and the event is still happening.

Section 4 of the DPDPA 2023 establishes the foundational requirement: personal data can only be collected when notice is provided before collection and the grounds for that collection are clearly stated. It’s not optional, and it’s not vague. If you’re running a marathon, sports event, or multi-day tournament, Section 4 is the section that decides whether your registration process is compliant or costly.

What Section 4 Says (Exactly)

Section 4 requires that before you collect any personal data from a participant, you must:

1. Provide Notice Prior to Collection Your notice must be presented before any personal data is collected. The participant must see and understand what data you’re collecting and why before they enter any information.

2. Disclose the Grounds for Collection For each piece of data, you must state the ground—the legal or business reason you’re collecting it. Examples:

  • “Name and email: Registration processing and event confirmation”
  • “Date of birth: Age category assignment and eligibility verification”
  • “Medical conditions: Health & safety, emergency response”
  • “Emergency contact: Emergency response and medical care coordination”
  • “Payment card details: Payment processing only”

3. State the Purpose and Retention Period Your notice must say what you’ll do with the data and how long you’ll keep it. Example: “We retain participant data for 6 months after the event, then delete it permanently.”

4. Obtain Affirmative Consent The participant must affirmatively consent (check a box, sign a form) before the data is collected. If they don’t consent, you cannot collect that data—and you cannot register them if the data is essential (name, email, payment).

The penalty for breaching Section 4 is up to ₹150 crore.

Section 4 Notice Template for Marathon Registration

Use this template as your registration-form notice. Customize the bracketed sections with your event details.


[EVENT NAME] – Personal Data Notice (Section 4, DPDPA 2023)

Before you register, please read:

We collect personal data to provide you with the services listed below. We will not collect any data without your consent.

Data We Collect & Why:

Data TypeGround for CollectionRetention Period
Name, Email, PhoneRegistration processing, event confirmation6 months after event
Date of BirthAge category assignment, eligibility verification6 months after event
Medical Conditions / AllergiesHealth & safety, emergency medical response6 months after event
Emergency Contact Name & PhoneEmergency response and medical coordination6 months after event
T-shirt Size, Dietary PreferencesEvent logistics and participant comfortUntil event completion
Payment Card DetailsPayment processing (charged to [Payment Processor Name])Deleted after payment confirmation
Photos / Video During EventMarketing, social media, event highlights (separate consent required)2 years or as per your settings

Your Data Will:

  • Be stored on [specify storage: cloud provider, server location]
  • NOT be shared with third parties unless you consent separately
  • Be deleted on [date] or upon your request
  • Be protected with encryption and access controls

Your Rights Under Section 4:

  • Right to access your data
  • Right to correct inaccurate data
  • Right to request erasure (deletion)
  • Right to withdraw consent at any time
  • Right to grievance redressal

I understand and consent to the collection and processing of my personal data as described above:

☐ Yes, I consent to data collection and processing ☐ No, I do not consent (cannot proceed with registration)


Separate Photo/Video Consent (Must be separate from data collection consent):

Photographs and videos will be taken during the event and may be used for:

  • ☐ Official event website and archives
  • ☐ Social media (Instagram, Facebook, YouTube)
  • ☐ Marketing materials and future event promotion
  • ☐ Media coverage and press releases

☐ I consent to photo/video use for the selected purposes above ☐ I do not consent to photo/video use


6-Step Section 4 Compliance Checklist

Step 1: Audit Your Current Registration Form

List every field you currently collect:

  • Full name
  • Email address
  • Phone number
  • Date of birth
  • Medical conditions / allergies
  • Emergency contact name & phone
  • T-shirt size
  • Dietary preferences (vegan, gluten-free, etc.)
  • Payment card information
  • Gender / Age category
  • Running experience level
  • Photo release consent
  • Other: ___________

Step 2: Define the Ground for Each Field

For every field, write down why you collect it. Be specific:

  • Name → “Registration processing and race bib issuance”
  • Email → “Registration confirmation, race updates, results notification”
  • Phone → “Event day communication, registration verification”
  • Date of Birth → “Age category assignment, eligibility verification”
  • Medical Conditions → “Health & safety, emergency medical response”
  • Emergency Contact → “Emergency response and medical care coordination”
  • T-shirt Size → “Event logistics and merchandise fulfillment”
  • Dietary Preferences → “Post-race food planning and participant comfort”
  • Payment Card → “Payment processing (do not store card numbers; use payment processor)”

Step 3: Write Your Section 4 Notice

  • Copy the template above
  • Replace bracketed sections with your event details
  • Use plain English—no legal jargon
  • State the ground for each data type
  • State retention period (how long you keep the data)
  • State where data is stored (cloud provider, data center location)

Step 4: Place the Notice Before the Form Starts

  • Notice appears on the registration page before any form fields
  • Notice is in a single, readable block (not scattered)
  • Font size is readable (not tiny)
  • Notice is the same language(s) as your event materials

Step 5: Add Consent Checkboxes

  • Two clear checkboxes appear below the notice:
    • ☐ “I consent to the collection and processing described above”
    • ☐ “I do not consent”
  • Registration form is disabled until “I consent” is checked
  • If participant checks “I do not consent,” show message: “We cannot process your registration without consent to collect essential data.”

Step 6: Handle Photo/Video as Separate Consent

  • Photo/video consent is a separate checkbox, not bundled with data collection
  • Notice for photos states specific uses (website, social media, marketing)
  • Participant can refuse photos and still register
  • Photo consent can be changed or revoked after registration

Step 7: Document Your Data Retention & Deletion

  • Write a Data Retention Policy naming how long you keep each data type
  • Document your deletion process (how data is securely deleted)
  • If you use a payment processor, verify they delete card data immediately
  • Train your team to follow the deletion timeline
  • Test deletion: verify data is actually removed after the retention period

Step 8: Create a Privacy Notice / Grievance Mechanism

  • Publish a full Privacy Notice on your website linking to the Section 4 template
  • Provide a grievance email: privacyofficer@[yourdomain].com
  • Respond to data access/erasure requests within 30 days
  • Document all requests and responses

Real Example: Half-Marathon in Delhi

Old (Non-Compliant) Form:

Marathon Registration
Name: [______]
Email: [______]
Phone: [______]
Date of Birth: [______]
Medical Info: [______]
Emergency Contact: [______]
[Register Now] button

No notice, no consent checkboxes, no disclosure of grounds, no retention policy.

New (Section 4 Compliant) Form:

BEFORE YOU REGISTER – Please Read:

We collect personal data to process your registration, keep you safe, 
and deliver a great race experience. Here's what we collect and why:

[Full Section 4 Notice here, with ground for each field]

Your rights: access, correct, delete your data, or request erasure.

☐ I consent to data collection and processing
☐ I do not consent

[If YES checked:]

Separate Photo/Video Consent:
We may take photos/videos during the event and share them on social media.

☐ I consent to photo/video use
☐ I do not consent

Name: [______]
Email: [______]
Phone: [______]
[Register Now] button (enabled only if main consent is checked)

The Difference:

  • Old form: No notice, no grounds disclosed, no consent. Result: ₹150 crore breach.
  • New form: Clear notice, grounds stated, affirmative consent. Result: Section 4 compliant.

Common Section 4 Mistakes (And How to Fix Them)

Mistake 1: Bundling All Consent into One Checkbox ❌ Wrong: “I consent to all terms, privacy, and photos” ✓ Right: Separate checkboxes for data collection and photo consent

Mistake 2: Placing Notice After the Form ❌ Wrong: Registration form first, notice link at the bottom ✓ Right: Notice displayed before any form fields appear

Mistake 3: Vague Grounds ❌ Wrong: “We collect data for event purposes” ✓ Right: “We collect emergency contact info for emergency response and medical care coordination only”

Mistake 4: Not Stating Retention ❌ Wrong: No mention of how long data is kept ✓ Right: “We delete participant data 6 months after the event”

Mistake 5: Collecting Data Without Consent First ❌ Wrong: Participants fill the form, consent checkbox at the end ✓ Right: Consent checkbox first, form fields only enabled after consent

Mistake 6: Storing Payment Card Data ❌ Wrong: Storing full card numbers in your database ✓ Right: Using a PCI-compliant payment processor; storing only last 4 digits and expiry for reference

Mistake 7: Sharing Data Without Disclosure ❌ Wrong: Sharing participant names with sponsors without mentioning it in the notice ✓ Right: Notice states: “We share participant names and bibs with sponsors for prize draw purposes”

FAQ

Q: Do we need Section 4 notice if registration is on WhatsApp or phone call? A: Yes. Section 4 applies regardless of how you collect data. If you’re collecting names, ages, medical info over WhatsApp or phone, you must provide notice before collection. Send the notice via WhatsApp first; get affirmative consent (“I consent”); then take down the data. Document that consent was obtained.

Q: What if a participant refuses to consent to health data collection but still wants to run? A: If health data is truly optional (e.g., dietary preferences), you can register them without it. If health data is mandatory for safety (e.g., asthma status for medical support at the course), you can refuse registration—but this must be stated in the notice before they begin the form: “Health information is mandatory; if you cannot provide it, you cannot participate.”

Q: Can we collect medical data “just in case” without stating a ground? A: No. Section 4 requires you to state the ground before collection. “Just in case” is not a valid ground. Valid grounds: “emergency response,” “health & safety,” “medical care coordination.” If you can’t state a clear ground, you shouldn’t collect it.

Q: How long can we keep participant data after the event ends? A: Section 4 doesn’t specify, but the Act requires data to be kept only as long as necessary for the stated purpose. If your ground is “registration processing and results delivery,” 6 months is reasonable. If your ground is “marketing for next year’s event,” 1 year is reasonable. Document your retention policy; delete data once the period ends. Participants can request erasure at any time after the event—you must comply within 30 days.

Q: Do virtual marathons (online/app-based) need Section 4 notice? A: Yes. Virtual marathons collect personal data (name, email, payment, performance data). Section 4 applies regardless of format. Your app or website registration must display the notice before the participant fills out any fields.

Q: Can we update our notice after registration begins? A: Yes, but new participants must see the updated notice. Existing participants should be notified of any material changes (e.g., new data sharing with sponsors). If the change is significant, consider re-obtaining consent from past participants before using their data in a new way.

DPDPA Section 4 compliance marathonsmarathon participant data notice templatesports event personal data collectionSection 4 consent checkbox marathonsmarathon registration DPDPA groundssports event data fiduciary noticeDPDPA health data collection sports
VERIFIED DPDPAReady Editorial Desk 25 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →