✓ Link copied
DPDPA 2023 Compliance

Section 4 Notice Checklist for Trade Shows: 12 Mandatory Details for Visitor Registration

Applies toTrade Show Organizers & Exhibition Management Companies operating in India
Primary lawDPDPA 2023 · Section 4
Penalty ceiling₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-06
SourceDPDPAReady Compliance Team

What’s at Stake When You Skip the Notice

A Delhi-based exhibition organizer collected 8,000 visitor registrations for their annual tech trade show without providing a pre-collection notice. Three months later, a visitor filed a complaint citing Section 4 DPDPA. The organizer faced a corrective notice from the Data Protection Board and ₹50 lakh in remediation costs. The mistake: no notice, no consent validation, no compliance proof.

Section 4 of the Digital Personal Data Protection Act, 2023 mandates that your organization provide clear, prior notice before collecting any personal data from trade show visitors. Miss this, and you’re in violation—regardless of whether you later process the data fairly.

Section 4: Purposes and grounds for processing personal data

A data fiduciary shall not process personal data other than for the purposes and grounds specified in the notice provided to the data subject.

This is the foundation. Your notice must specify the purpose (e.g., “registration for TechExpo Delhi 2026”), and all data collection must fall within that declared purpose.

Why Trade Shows Are High-Risk Under Section 4

Trade show organizers typically:

  • Collect data at physical registration booths (in-person capture)
  • Use digital forms (online registrations weeks before the event)
  • Share attendee lists with exhibitors (third-party recipients)
  • Retain data for post-event surveys and marketing

Each of these triggers Section 4 compliance gaps:

  1. Physical registration: Visitors often sign a form or scan a badge without reading a notice. Section 4 requires a notice before collection, not during or after.
  2. Third-party sharing: If you plan to share the attendee list with exhibitors, your pre-collection notice must disclose this upfront.
  3. Retention for follow-up: If you’ll use registration data for post-event surveys or future event marketing, your notice must name this purpose at the point of collection.

The 12-Point Section 4 Pre-Collection Notice Checklist for Trade Shows

Before you collect a single visitor registration, your notice must include all 12 of these elements. Omit even one, and you risk a Section 4 breach.

Pre-Collection Notice Template (Fill in the blanks)


TRADE SHOW VISITOR DATA COLLECTION NOTICE
(Compliant with Section 4, DPDPA 2023)

Event Name: [Event name, e.g., “TechExpo Delhi 2026”]
Event Date: [Date range]
Organizer Name: [Your organization/company name]
Organizer Contact: [Email and phone]

1. Purpose of Collection
We collect your personal data for the sole purpose of: [Primary purpose—e.g., “registering you as a visitor, managing event logistics, and providing event updates”]

2. What Data We Collect
We collect the following personal data from you:

  • Full name
  • Email address
  • Phone number
  • Company/organization name
  • Job title
  • Dietary preferences (if applicable for catering)
  • Other: [specify, e.g., “attendance preferences”]

3. Legal Ground for Collection
We collect this data because:

  • You have given us explicit consent to register for the event
  • We have a legitimate interest in managing the event safely and effectively
  • We are required by law or contract to do so (specify if applicable)

4. Duration of Data Retention
Your personal data will be retained for: [e.g., “90 days after the event concludes, unless you opt into our mailing list, in which case retention is 12 months or until you unsubscribe”]

5. Recipients (Third Parties) of Your Data
Your data may be shared with:

  • Event logistics partner (transportation, catering): [Name, if known]
  • Exhibitors participating in the event (attendee lists may be provided): [Yes/No]
  • Photographers/media for event coverage: [Yes/No]
  • Post-event survey tools or mailing platforms: [Specify vendors, e.g., “MailChimp”]
  • Other: [specify]

6. Your Rights
Under the DPDPA, you have the right to:

  • Request access to your personal data
  • Request correction of inaccurate data
  • Request erasure of your data (except where we have a legal obligation to retain it)
  • Withdraw consent at any time by emailing [compliance email]

7. Contact for Grievances
If you have concerns about how we handle your data, contact:
Data Protection Officer: [Name]
Email: [Email]
Phone: [Phone]
Address: [Office address]

8. How We Protect Your Data
We implement [describe security measures—e.g., “encrypted forms, password-protected databases, restricted staff access, annual security audits”]

9. Automated Decision-Making
We do [ ] / do not [✓] use your personal data for automated decision-making (e.g., algorithmic badge assignment, session recommendations)

10. Cross-Border Data Transfer
Your data will [ ] / will not [✓] be transferred outside India. If yes, specify destinations and safeguards: [e.g., “Data may be shared with our US-based registration platform, which complies with standard contractual clauses”]

11. Children’s Data
If you are under 18, parental/guardian consent is required. Registrants under 18 must provide: [ ] Parental email confirmation

12. Policy Updates
We may update this notice. Changes take effect [e.g., “14 days after posting”]. Continued participation means acceptance of the updated terms.


Visitor Acknowledgment:
By registering, I confirm I have read and understood this notice. [ ] I consent to the collection and use of my data as described above.

Signature / Digital Acceptance:
[Checkbox or e-signature field]


How to Deploy This Notice in Compliance

For In-Person Registration (Physical Booths)

  1. Print the notice on registration forms — Full notice above the signature line, font size minimum 10pt.
  2. Require active acknowledgment — Checkboxes or signature, not passive reading.
  3. Staff training — Train registration staff to confirm attendees have read the notice before data collection.
  4. Audio option — For accessibility, QR code linking to an audio version of the notice.

For Online Registration (Web / Mobile Forms)

  1. Display before the form — Show the full notice before any data entry field.
  2. Mandatory checkbox — “I have read and agree to the data collection notice” must be checked before the submit button unlocks.
  3. Layered notice — Link to a full policy page; the form itself can summarize key points.
  4. Timestamp the consent — Log when and how the visitor accepted the notice.

For Digital Badge Check-In (QR / NFC Scans)

  1. Pre-event email — Send the notice 7–10 days before the event; require confirmation of receipt.
  2. On-device notice — If checking in via mobile app, display notice on the check-in screen with a mandatory tap-to-confirm.
  3. Physical printout at booth — Print the notice and have check-in staff point attendees to it.

Common Section 4 Pitfalls and How to Avoid Them

PitfallRiskFix
No notice (assume attendees know why you’re collecting)Section 4 violation, ₹150 crore exposureDeploy notice template above before any collection
Generic notice (“We collect data”) without event-specific purposeViolation—notice must state exact purposeName the event, dates, and specific uses
Silent third-party sharing (pass attendee list to exhibitors without prior disclosure)Section 4 violation + breach of data subject rightsAdd exhibitor sharing explicitly to notice
Notice buried in T&Cs (12-page terms, notice hidden on page 8)Likely unenforceable—notice must be clear and prominentOne-page, plain language, checkbox-based
Consent conflated with notice (notice says “we will collect” instead of “we are asking permission”)Weak legal position if challengedNotice is mandatory; consent is the attendee’s response
No timestamp on consent (can’t prove when notice was shown)Compliance audit failureLog acceptance time, form hash, IP address

Section 4 Compliance Timeline for Your Next Trade Show

  • T-60 Days: Audit your current data collection process. Identify all purposes, recipients, and retention windows.
  • T-45 Days: Draft your event-specific notice using the template above. Have legal counsel review.
  • T-30 Days: Deploy notice on registration pages and print on physical forms. Train staff.
  • T-14 Days: Send pre-event email with notice to all pre-registered attendees; request confirmation.
  • T-7 Days: Perform mock registration test. Confirm notice displays, consent is captured, and timestamp logs are working.
  • Event Day: Verify all registration staff reference the notice.
  • T+30 Days: Retain copies of all notices shown, timestamps of consent, and any attendee data access requests.

Frequently Asked Questions

Q: Do I need Section 4 notice if visitors are just walking into the event without pre-registration?
A: Yes. Even walk-in attendees who provide data (name, company, email at the door) must receive notice before you collect their details. A printed notice at the registration desk, a verbal summary from your staff, or a QR code linking to the full policy all satisfy this requirement. However, the notice must be shown before data is collected, not after badge printing.

Q: Can I use the same notice for all attendee types (visitors, exhibitors, speakers)?
A: Not entirely. Exhibitors and speakers may have different data uses (e.g., payment processing for exhibitors, speaker honorariums for speakers). Your notice must specify who the data subject is and what purposes apply to them. You can use a template with conditional sections (e.g., “If registering as an exhibitor, your data will also be used for invoice and contract processing”).

Q: What if I want to share the attendee list with my email marketing vendor after the event?
A: This must be disclosed in the Section 4 notice before registration. Include the specific purpose (“post-event surveys and promotional emails for future events”) and the vendor name (if known) or category (e.g., “third-party email marketing platform”). If a visitor doesn’t accept this, you cannot use their data for marketing without a separate, new notice and consent.

Q: Section 4 says “specified in the notice”—does that mean I must list every single purpose in one sentence?
A: No. Your notice can be structured with separate sections (Purpose, Retention, Recipients). However, each purpose must be explicit and unambiguous. Vague language like “event operations and related activities” is not sufficient; it should be “event registration, catering logistics, speaker coordination, and post-event feedback surveys.” If you discover a new purpose after the notice was published, you must collect fresh consent for that new purpose.

Q: If a visitor refuses to accept the Section 4 notice, can I still collect their data?
A: No. If they don’t consent, you cannot collect their data under that notice. However, you have two options: (1) Deploy a modified notice stating only the data fields and purposes they agree to, or (2) Explain that certain data (e.g., email for event logistics) is mandatory and that declining the notice means they cannot register. Document their choice in your consent logs.

Section 4 DPDPA visitor data collection trade showsTrade show registration notice DPDPA complianceExhibition attendee data protection checklist IndiaPre-collection notice template trade showsDPDPA Section 4 grounds for processing eventsEvent registration form compliance DPDPATrade show data collection penalties Section 4
VERIFIED DPDPAReady Editorial Desk 27 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →