Trade Show Visitor Data Under Section 4 DPDPA: 5 Lawful Grounds Explained
| Applies to | Trade Show Organizers & Exhibition Managers operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
Understanding Section 4 DPDPA 2023 for Trade Shows
At the Bangalore Tech Expo 2025, organizers collected 50,000 visitor contact details across three days. Registration booths asked for name, phone, email, and company. When a data protection complaint arrived two weeks later, regulators asked a single question: “Under which ground in Section 4 did you collect this personal data?” Organizers had no documented answer. The potential penalty: ₹150 crore.
Section 4 of the Digital Personal Data Protection Act, 2023, establishes the lawful grounds under which any entity may collect personal data. Without one of these grounds, collection is unlawful—regardless of how securely you store the data afterward. For trade shows and exhibitions in India, this Section is foundational.
What Section 4 Says
Section 4 specifies that personal data must be collected only on one or more of these grounds:
“A data processor shall not collect any personal data unless on one or more of the following grounds, namely:— (a) with the consent of the data principal; (b) for performance of an obligation arising from a contract to which the data principal is a party; (c) for compliance with an obligation imposed by the Parliament through law; (d) for protection of vital interests of the data principal; (e) for discharge of a function authorized by law; (f) for purposes which include (i) the legitimate interests pursued by the data processor or any third party; or (ii) the legitimate interests pursued by the Government; or (iii) the legitimate interests pursued by an individual.”
For trade shows and exhibition organizers, grounds (a), (b), (e), and (f) are most relevant. Ground (c) applies when local regulations mandate collection (e.g., security compliance). Understanding which ground applies to each data element is the first step toward compliance.
The 5 Lawful Grounds Applicable to Trade Show Data Collection
Ground 1: Collection with Consent (Section 4(a))
When it applies: When an attendee voluntarily agrees to share personal data.
Consent at a trade show must be:
- Explicit and specific — “I agree to share my email for post-event communications” is valid; a checkbox buried in terms is not.
- Documented — Signed consent forms, digital checkboxes with timestamps, or email confirmations proving the visitor consented.
- Freely given — Not a condition of entry (unless entry itself is contractual; see Ground 2).
- Revocable — The visitor must be able to withdraw consent later.
Example: The Delhi Women in Business Expo asks visitors at the registration desk: “May we contact you in the next 90 days with updates on future events?” A badge printer collects name and email; the visitor checks a box. That checkbox is documented consent under Section 4(a).
Common mistake: Collecting email addresses for your database without asking. Assuming attendee lists from exhibitors come with consent. Sending follow-up emails to visitors who never opted in.
Ground 2: Performance of Contract (Section 4(b))
When it applies: When data collection is necessary to execute a transaction or service agreement.
For trade shows, this includes:
- Visitor registration and badge printing
- Ticket processing and entry management
- Exhibitor booth assignments and invoicing
- Delegate packages or paid attendee tiers
Example: The Mumbai International Electronics Fair charges ₹500 per visitor for a 3-day pass. The visitor provides name, email, phone, and company affiliation to receive the ticket. This data is collected under Section 4(b) because it is necessary to deliver the contracted service (event access). No separate consent form is needed for these elements.
However, if you want to collect data beyond what is necessary for the contract (e.g., marital status, purchasing behavior, career history), you must cite another ground, typically Ground 1 (consent) or Ground 6 (legitimate interests).
Key distinction: Ground 2 covers essential data only. Non-essential enrichment requires consent.
Ground 3: Compliance with Law (Section 4(c))
When it applies: When a statute, regulation, or government order requires you to collect data.
Examples in the Indian trade show context:
- GST registration: If your event is taxable, you may need to collect business details for GST filings.
- FCRA compliance: If foreign nationals are attending, certain organizers may need to collect and report per FCRA rules.
- Security and crowd management: Some state governments or event venues mandate visitor logs for emergency access and safety protocols.
- Labor law compliance: If hiring or recruiting happens at the show, some data collection may be mandated.
Example: The Hyderabad Import-Export Trade Fair is required by the Telangana police to maintain an attendee log at the venue gates for security purposes. Collecting names and ID details falls under Section 4(c). The event organizers must have a copy of the government directive and make it available to data subjects who request it.
Important: The legal requirement must be in writing — cite the statute, regulation, or government order.
Ground 4: Legitimate Interests (Section 4(f))
When it applies: When collecting data serves a genuine business purpose, and the visitor’s interests do not override that purpose.
For trade shows, legitimate interests include:
- Analyzing attendee behavior to improve future events
- Sending non-marketing communications (e.g., event updates, schedule changes, technical announcements during the event)
- Security and fraud prevention
- Post-event feedback and surveys
- Marketing to exhibitors based on attendee demographics
Example: The Jaipur Craft & Design Fair collects visitor zip codes to map geographic attendance patterns for its annual report to exhibitors. No formal consent is required; the collection is justified under legitimate interests (understanding market reach). However, organizers must be transparent: a privacy notice at registration must state, “We collect your location to analyze event reach and improve future exhibitions.”
Key requirement: Under Section 4(f), you must balance your interests against the visitor’s privacy expectations. Collecting data without transparency, or for purposes a reasonable visitor would not anticipate, fails this ground.
Ground 5: Protection of Vital Interests (Section 4(d))
When it applies: When data collection is necessary to prevent serious harm to a person’s health, safety, or life.
This ground is rare at trade shows but can arise in:
- Medical trade fairs where health conditions are collected for matching attendees with exhibitors
- Safety incidents requiring emergency contact data
- Allergy or dietary restrictions for conference catering
Example: The Chennai Medical Devices Expo collects data on visitor allergies and mobility needs to ensure safe event logistics. This falls under Section 4(d) because it is necessary to protect attendee safety.
Step-by-Step Compliance Checklist for Trade Shows
Step 1: Map All Data Collection Points
List every place where you collect personal data:
- Registration desks
- Online ticket booking
- Exhibitor lead forms
- Credential requests
- WiFi login
- Post-event surveys
- Badge scanning (for exhibitor leads)
Step 2: Assign a Section 4 Ground to Each Collection Point
For each data element (name, email, phone, company, job title, etc.), determine which Section 4 ground justifies collection:
| Data Element | Collection Point | Section 4 Ground | Documentation Required |
|---|---|---|---|
| Name, Email | Registration desk | Contract (b) | Ticket purchase receipt |
| Phone number | Registration desk | Consent (a) | Signed consent form |
| Dietary restrictions | Event booking | Vital Interests (d) | Booking form with explicit opt-in |
| Job title, Company | Badge form | Consent (a) or Legitimate Interests (f) | Consent checkbox or privacy notice |
| Post-event contact | Registration | Legitimate Interests (f) + Transparency | Privacy notice at booth |
Step 3: Create Documentation
For Consent-based collection:
- Prepare a one-page consent form: “I consent to [specific data] being collected and used for [specific purpose] for [time period].”
- Display this at every collection point (physical and digital).
- Collect signed/timestamped confirmation.
- Retain copies for at least 2 years.
For Contract-based collection:
- Link data collection to the ticket or registration contract.
- State on the registration form: “The following data is required to process your entry: [list].”
- Retain copies of tickets and registrations.
For Legitimate Interests–based collection:
- Draft a privacy notice: “We collect [data] to [purpose]. We balance our interests against your privacy. You have the right to object.”
- Display this notice at the point of collection.
- Be prepared to explain the balancing test (why your interests justify collection).
Step 4: Implement Data Retention Limits
Do not retain data longer than necessary. Examples:
- Attendee names and emails for a 1-year event follow-up: retain for 1 year, then delete.
- Consent records for audit purposes: retain for 2 years (to demonstrate compliance).
- Payment and invoice data: retain per GST rules (typically 6 years).
Step 5: Train Staff
Ensure registration desk staff, exhibitor liaisons, and data handlers understand:
- Which Section 4 ground applies to their collection activities.
- How to respond when a visitor asks, “Why do you need this data?”
- How to honor data subject rights (access, correction, deletion).
Step 6: Audit Before the Event
- Review all forms, digital intake systems, and badge-scanning protocols.
- Confirm that Section 4 grounds are documented.
- Test the consent workflow (if using consent).
- Ensure privacy notices are visible and clear.
Real-World Risk Scenarios & Penalties
Scenario 1: The Exhibitor List Problem
The Situation: An organizer collects 10,000 attendee emails without consent at the event. Post-event, the organizer sells the attendee list to 50 exhibitors for next year’s marketing.
Section 4 Violation: No ground was documented. Collection was not contractual (attendees were not charged). No consent was sought. No legitimate interests notice was provided.
Penalty: Up to ₹150 crore per violation (the regulator may count each unauthorized email sale as a separate violation).
Avoidance: Use a consent form at registration: “I agree to share my email with future exhibitors and event organizers for relevant updates.”
Scenario 2: The GDPR Confusion
The Situation: A Bangalore-based event management company collects visitor data claiming GDPR compliance is sufficient. However, visitors are primarily Indian.
Section 4 Violation: GDPR lawful bases do not automatically satisfy DPDPA’s Section 4 grounds. DPDPA is stricter in some respects (e.g., no “balance of powers” exception for government; explicit requirement for vital interests).
Penalty: Up to ₹150 crore. Regulators have noted that international standards do not substitute for DPDPA compliance.
Avoidance: Audit your collection practices against Section 4 specifically. Do not assume GDPR compliance equals DPDPA compliance.
Scenario 3: The Contract Overreach
The Situation: An organizer collects name and email under Section 4(b) (contract). Then uses the email list to send unsolicited marketing for unrelated products (e.g., real estate, insurance).
Section 4 Violation: Data collected under Section 4(b) can only be used for the contracted purpose. Repurposing for unrelated marketing exceeds the ground’s scope.
Penalty: Up to ₹150 crore, plus potential non-compliance fines for unsolicited marketing under other sections (e.g., Section 5 notice requirements).
Avoidance: Clearly separate contractual data (for event logistics) from marketing data (with separate consent).
Scenario 4: The Exhibitor Booth Scan
The Situation: Exhibitors scan QR codes on visitor badges to capture contact details. No consent mechanism is in place at the booth.
Section 4 Violation: The data is collected by a third party (exhibitor), but the event organizer enabled the collection without a documented ground.
Penalty: Both the organizer (facilitator) and the exhibitor may face penalties. Organizers are liable for third-party collection on their premises.
Avoidance: Provide visitors an opt-in badge feature or separate consent zone. Communicate to exhibitors that visitors must consent before scanning.
Practical Playbook: From Registration to Archive
Before the Event
- Design the registration form — include consent checkboxes and privacy notices.
- Train staff — use a quick reference card detailing which Section 4 ground applies to each field.
- Set retention timelines — document when you will delete attendee data.
During the Event
- Collect consistently — apply the same consent and ground-mapping rules to all intake methods (desk, digital, exhibitor scans).
- Post privacy notices — visible signage stating Section 4 grounds and attendee rights.
After the Event
- Segment data by ground — separate consent-based data from contract-based data for cleaner management.
- Honor access requests — prepare to respond to attendees requesting copies of data within 30 days.
- Delete per timeline — remove data that has served its purpose; retain audit records.
Penalties Under Section 4 DPDPA
If an organizer collects personal data without establishing a lawful ground under Section 4:
- Penalty: Up to ₹150 crore per violation
- Cumulative liability: Multiple violations (e.g., emails sent, data sold) can compound penalties
- Reputation cost: Regulatory findings are public; the damage to attendee trust often exceeds fines
The regulator considers:
- Scope of unauthorized collection (how much data, how many people)
- Duration (how long was data held without a ground)
- Harm to data subjects (were emails sold, misused, breached)
- Cooperation with investigation
Frequently Asked Questions
Q1: Can we assume consent just because someone attended our event?
No. Attendance alone does not imply consent to data collection. Consent must be explicit, documented, and specific to the data you are collecting and its intended use. At a ₹500 ticket event, the attendee has contracted for entry—not for their email to be added to a marketing list. Collect only what is contractual; ask consent for anything beyond that.
Q2: What if an exhibitor collects visitor data at their booth without our permission—are we liable?
Yes. As the event organizer, you are responsible for third-party data collection on your premises. Before the event, communicate to exhibitors that they may only collect data with explicit visitor consent. Provide them with consent forms or a guide to DPDPA compliance. If an exhibitor collects data improperly and a complaint arises, the regulator will hold both the organizer and the exhibitor accountable.
Q3: Can we use email addresses collected “for event logistics” to send marketing emails after the event?
Only if you obtained separate consent for marketing. Data collected under Section 4(b) (contract) is limited to the contracted purpose—event logistics, ticketing, and updates. Using those emails for unrelated marketing requires new consent under Section 4(a) or a documented legitimate interests assessment under Section 4(f). A safe approach: at registration, ask visitors to check separate boxes for logistics, marketing, and exhibitor sharing.
Q4: If we are collecting data for security purposes, do we need consent?
It depends on the legal requirement. If your venue’s security policy or a government order mandates collection (e.g., police requirement for attendee logs), cite Section 4(c). If you are collecting for your own security analysis (theft prevention, crowd management), use Section 4(f) (legitimate interests) with a transparent privacy notice. Vital interests (Section 4(d)) apply only if there is an immediate risk to health or safety.
Q5: How long can we keep attendee data after the event?
Retain data only as long as its purpose remains valid. For event logistics, 1 year post-event is typical; for marketing consent, as long as the visitor has not revoked consent (they can opt out at any time). For audit and compliance purposes, retain consent records and Section 4 ground documentation for 2 years. After the retention period, delete the data or anonymize it (remove names, emails, identifiers). Deleting is safer than anonymizing poorly.
Q6: Do we need a separate privacy policy for each Section 4 ground?
No, but your privacy policy must clearly explain which ground applies to which data collection. Structure it like this: “We collect name and email for your ticket at the grounds of contract (Section 4(b)). We collect job title for future event analysis at the grounds of legitimate interests (Section 4(f)). We collect dietary preferences to protect your health (Section 4(d)).” This transparency helps visitors understand the legal basis for collection—a key DPDPA requirement.
Q7: What if we forget to document the Section 4 ground at the time of collection?
You have a compliance problem. DPDPA requires documentation at the time of collection. Retroactively adding it later weakens your defense in a regulatory investigation. Best practice: embed ground documentation in every collection mechanism—print it on forms, include it in email confirmations, show it at digital registration.
Q8: Are international attendees exempt from DPDPA protections?
No. Section 4 applies to all personal data collected at a trade show hosted in India, regardless of where the attendee is from or whether they are an Indian national. A visitor with a US passport is protected under DPDPA. Ensure your compliance covers all attendees equally.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →