✓ Link copied
DPDPA 2023 Compliance

Employee vs Attendee Data Under Section 4: Corporate Event Compliance Essentials

Applies toCorporate event organisers, HR departments, and event management companies in India handling employee and attendee personal data.
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation (Section 4 principles breach)
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

The Attendee-List Mistake That Costs ₹150 Crore

An event management company sent 2,000 attendee names to three sponsors for “future business outreach” without consent. The sponsors weren’t data processors—they were unrelated third parties. One attendee filed a complaint. Under Section 4 of DPDPA 2023, this violated purpose limitation, lawfulness, and the principle of fair processing. Exposure: ₹150 crore.

Your employees gave consent when they joined your company; your event attendees gave consent only for the event. Section 4 treats these two categories completely differently—and most corporate events get this wrong.

What Section 4 Requires: The Six Core Principles

DPDPA 2023 Section 4 mandates that personal data must be handled according to six principles:

Section 4 Principles for Handling Personal Data:

  1. Lawfulness and Fairness — Processing must have a legal basis and be fair to the individual
  2. Purpose Specification and Limitation — Collect data for a clear purpose only; do not repurpose without fresh consent
  3. Data Minimization — Collect only what is necessary for that purpose
  4. Accuracy — Keep data accurate and up-to-date
  5. Storage Limitation — Retain data only as long as necessary for the stated purpose
  6. Integrity and Confidentiality — Protect data from unauthorized access and loss

Every corporate event violates at least one of these. The difference between employee data and attendee data determines which principles apply, how strictly, and for how long.

Employee Data vs Attendee Data Under Section 4: The Comparison

Section 4 PrincipleEmployee DataAttendee DataReal-World Impact
LawfulnessLawful basis: employment contract (implicit consent)Lawful basis: explicit, event-specific consent checkboxEmployees = no registration form needed; Attendees = mandatory checkbox or non-compliant
Purpose LimitationPurpose: payroll, benefits, performance, HR commsPurpose: event access + event-specific comms onlyYou can email employees about company events; can’t email attendees about anything else
Data MinimizationMinimum needed: name, ID, email, department, bank accountMinimum needed: name, email, dietary need (if meal service) onlyEmployee form has 20 fields; attendee form has 3 fields
AccuracyEmployee updates own data in HR systemAttendee accuracy verified at event check-in onlyEmployee data is “living”; attendee data is “point-in-time”
Storage LimitationRetain per employment tenure + 5–7 years statutory holdDelete 30 days post-event (or 90 days if photos retained separately)Employee data lives years; attendee data dies after event
Integrity & ConfidentialityHigh standard: annual compliance audit, encryption always, role-based accessHigh standard (same), but short lifecycle: event platform with DPA, then deletionBoth need encryption and access controls; attendee data has shorter exposure window

The critical difference: Employees give consent once (at hire); attendees give consent once per event. Reusing attendee data from Event A at Event B requires new consent.

Real Corporate Event Scenarios Under Section 4

Scenario 1: Team Building Event (30 Employees + 10 External Guests)

What You Collect (Section 4 Minimization):

  • Employees: name, email, dietary needs, attendance status (lawful basis: employment contract)
  • Guests: name, company, email, dietary needs, attendance status (lawful basis: explicit consent checkbox at invite)

Compliant Under Section 4:

  • Employee emails: “Confirming your attendance; details sent to {event_date}. Dietary note: {preference}.”
  • Guest emails: Same content, but you also include a privacy notice: “We’ll store your data for this event only. Your email will be deleted 30 days after the event. We will NOT share your information with vendors or sponsors.”
  • Data shared with caterer: Dietary preferences only (no names or emails), via a data processor agreement (DPA).
  • Photos: You took photos; you state “Photos will be stored for 30 days, then deleted.” If you want to keep them longer, you need separate photo consent.
  • Retention: Delete guest list 30 days after event; employee attendance record stays (tied to HR records).

Violation Examples:

  • Vague purpose: “We’ll use your email for future company events” → Violates Section 4 purpose limitation (too broad, too indefinite).
  • No consent: Adding guests to your company newsletter after the event → Violates lawfulness (new purpose, no consent).
  • Data minimization fail: Collecting guest job title, seniority, annual spend → Violates Section 4 minimization (not event-necessary).
  • Storage violation: Keeping guest list for 2 years to “identify repeat attendees for loyalty rewards” → Violates storage limitation (no stated retention purpose at time of collection).

Scenario 2: Annual Awards Gala (500 External Attendees)

What You Collect:

  • Name, email, company, plus size (for awards dinner outfit).

Compliant Under Section 4:

  • Consent checkbox at registration: “I consent to LIT Events storing my data for: (1) Event access, (2) Attendee check-in, (3) One post-event thank-you email. My data will be deleted 30 days after the event. I will NOT be added to any mailing list.”
  • Purpose documented: Event access + check-in + one thank-you email (specific, narrow).
  • Data processor: Registration platform (e.g., Eventbrite) has a DPA with you; you instruct them to delete data 30 days post-event.
  • Plus-size data: Shared with clothing vendor as “size only” (no names), via DPA.
  • Email list: Deleted immediately after thank-you email is sent.
  • Photos: Separate, explicit consent: “By checking here, I consent to my photo being taken and stored for company promotional use. Photos will be deleted after 90 days.” (If attendee doesn’t check, no photos of them).
  • Penalty risk: Zero (all Section 4 principles met).

Violation Examples:

  • No consent checkbox: Collect email, assume consent → Violates lawfulness.
  • Vague retention: “We’ll keep your data for future gala invitations” → Violates purpose limitation (next year’s gala is new event, needs new consent).
  • Reuse without consent: Add attendees to your company blog newsletter → Violates purpose limitation (new purpose, original consent was event-only).
  • Accuracy gap: Email bounces after event, but you never verify → Violates accuracy (should re-verify if you retain data beyond 30 days).

Scenario 3: HR Compliance Seminar (200 Internal Employees + 100 External HR Professionals)

What You Collect:

  • Employees: name, designation, email (lawful basis: employment + event coordination).
  • Externals: name, company, email, professional experience (lawful basis: explicit consent for seminar access).

Compliant Under Section 4:

  • Employee consent: Sent internal memo 2 weeks before: “All staff invited to HR Compliance Seminar on {date}. Your name and email will be used for check-in and event comms only. Attendance data will be stored in your HR file (for leave records).”
  • External consent: Included in invite email: “We’ll use your email for seminar check-in and send you the event slides (one email, 48 hours post-event). Your data is deleted after that. We will NOT share your company name or contact info with third parties.”
  • Video recording: Separate consent form (not assumed from attendance). “By checking here, you consent to video recording and agree that this recording will be used for internal training purposes only, stored for 6 months, then deleted.” (Employees: assume consent if stated in memo; Externals: mandatory checkbox).
  • Video data shared: Stored on secure internal server (not on Zoom cloud); deleted after 6 months per retention policy.
  • Seminar slides: Sent to all attendees (employees + externals) as promised; no third-party sharing.
  • Retention: Employee attendance in HR file (tied to employment); external attendee data deleted 30 days post-seminar.

Violation Examples:

  • Recording without consent: Video recorded, but attendees weren’t told → Violates lawfulness and integrity (hidden processing).
  • Vague recording purpose: “Videos for company use” (too broad) → Violates Section 4 purpose limitation.
  • Sharing without consent: Forwarding video to an external HR consultant → Violates purpose (was “internal training only”).
  • Data minimization fail: Collecting “professional experience” and then using it to score attendees as “high-potential hires” for a separate recruitment initiative → Violates purpose limitation (secondary use without consent).

Scenario 4: Product Launch Event (1,000 Attendees, 50% Employees, 50% External)

What You Collect:

  • Badge name, email, company (for event access + check-in tracking).

Compliant Under Section 4:

  • Employees: included in company event comms (lawful basis: employment); no separate consent needed for badge data (already disclosed in pre-event email).
  • Externals: consent checkbox at registration: “I consent to LIT Events storing my badge name and email for: (1) Event access, (2) Check-in tracking, (3) One post-launch thank-you email. Data will be deleted 7 days after the event.”
  • Badge scanning: Records only badge scan time (not which booths visited, which sponsors you talked to). Section 4 minimization: scan-time data is minimal and event-necessary.
  • Email list: Used for one thank-you email on day 2; email list deleted on day 3 (after send confirmation).
  • Purpose documented narrowly: “Event access and check-in only; post-event summary email only.” Not “future marketing,” not “lead database,” not “sponsor outreach.”
  • No secondary use: Attendee company names are NOT sold, shared, or used for future targeting.

Violation Examples:

  • Hidden tracking: Badge scans track which sponsor booths attendee visited, then shared with sponsors → Violates lawfulness (purpose not disclosed at registration) and minimization (tracking data not necessary for event access).
  • Purpose creep: “We’ll email you about the product and future launches” → Violates purpose limitation (new purpose; future launches are new events, need new consent).
  • Data sharing: Attendee list shared with “5 premium sponsors for follow-up lead outreach” → Violates lawfulness (purpose not disclosed) and minimization (sharing attendees’ personal data with unrelated third parties).
  • Retention violations: Keeping badge scan data for 6 months to “analyze attendee behavior” → Violates storage limitation (no retention purpose stated at registration; this is secondary analytics use).

The Section 4 Compliance Checklist for Corporate Events

Before your next event, audit these six principles:

1. Lawfulness & Fairness (Section 4)

  • Employees: Memo sent stating data will be used for event access/comms (lawful basis: existing employment consent covers this).
  • Attendees: Consent checkbox at registration (“I consent to…”).
  • No hidden processing (e.g., no badge-tracking without disclosure).
  • Fair notice: Attendees know what will happen to their data (shared with vendors? stored post-event?).

Red flag: “We’ll email you about future events” without specifying what future events or getting consent each time.

2. Purpose Specification & Limitation (Section 4)

  • State exactly why you’re collecting data: “Event access, check-in, one post-event email” ✓ vs. “future marketing” ✗
  • Do NOT collect data for a purpose you might use later without consent.
  • If you add a new purpose later (e.g., “we now want to analyze attendee sentiment”), get fresh consent or delete the data.

Red flag: “We might email you later” or “for our records” (too vague).

3. Data Minimization (Section 4)

  • Registration form: Only 3–5 fields (name, email, dietary need, company).
  • Avoid: demographics, job title, salary, personal preferences, detailed feedback.
  • Collect dietary data only if you’re providing meals; skip it otherwise.

Red flag: Registration form with 20+ fields or questions about “interest in future partnerships.”

4. Accuracy (Section 4)

  • Employees: They update their own HR data; no action needed on your part.
  • Attendees: Send confirmation email immediately after registration (“Please confirm your email is correct”).
  • If you email attendees post-event, only do so within 7 days (data is fresh and accurate).

Red flag: Emailing attendees 6 months later; email accuracy has drifted, bounces increase.

5. Storage Limitation (Section 4)

  • Attendee list: Delete 30 days post-event (or 90 days if separate photo consent).
  • Employee attendance: Store per employment (tied to HR/payroll records).
  • Photos: Delete 30 days unless separate, multi-year consent obtained.
  • Set automatic deletion in your event platform (don’t rely on manual deletion).

Red flag: “We’ll keep attendee data for 2 years to identify loyal attendees” (violates storage limitation if not disclosed and consented to at registration).

6. Integrity & Confidentiality (Section 4)

  • Event platform: Must be DPDPA-compliant with a DPA (check Eventbrite, Zoho Events, etc.).
  • No unencrypted email forwarding of attendee lists.
  • Limited access: Only event organizers and caterer (processor) can access attendee data.
  • No sharing with sponsors, marketers, or external databases.

Red flag: Attendee list stored in Google Sheets or forwarded via unencrypted email to stakeholders.

Penalties for Section 4 Breaches: How ₹150 Crore Happens

DPDPA 2023 Section 4 breaches fall into the ₹150 crore penalty category (Sections 5–6 incorporate Section 4 principles). Here’s how exposure scales:

Event SizeViolationExposure
50 external attendeesNo consent checkbox; shared with 2 sponsors₹150 crore (50 × 2 violations = 100 complaints possible; penalties aggregate)
500 external attendeesEmail added to newsletter without consent₹150 crore (500 individuals × unauthorized secondary purpose)
2,000 external attendeesData retained for 1 year for “future targeting”₹150 crore (storage limitation breach × scale)
100 employees + guestsBadge data shared with unnamed “analytics firm”₹150 crore (lawfulness + minimization violation; sponsors named as processors but no DPA)

Even a 50-person event triggers ₹150 crore exposure if Section 4 is violated. Scale doesn’t matter; violation type does. Willful violations (knowingly ignoring Section 4) carry higher risk and intent-based penalties.

How to Stay Compliant: The Event Data Workflow

1. PRE-EVENT (2 weeks before)
   ├─ Consent checkbox drafted ("I consent to: event access, check-in, 1x email, 30-day data deletion")
   ├─ Employee memo sent ("Your data used for event/check-in/records per employment relationship")
   ├─ Data processor (platform vendor) DPA reviewed
   └─ Retention schedule set (30 days post-event auto-delete)

2. REGISTRATION (opening)
   ├─ Form: name, email, dietary need only (minimize)
   ├─ Consent checkbox (lawfulness): "I consent to…" [MANDATORY for externals]
   ├─ Privacy notice: "Your data will be…" (purpose, retention, sharing, rights)
   └─ Data flow: Registration platform (processor) → Event organizer → Caterer (if sharing dietary data)

3. AT EVENT (day-of)
   ├─ Badge check-in (minimal data: name, email, status)
   ├─ Photos: Only if separate consent checkbox was checked
   └─ NO hidden tracking (e.g., WiFi tracking, sponsor badge scans)

4. POST-EVENT (days 2–7)
   ├─ Thank-you email sent (using attendee email list)
   ├─ Photo consent honored (photos shared only to attendees who consented)
   ├─ Dietary data deleted (if catering complete)
   └─ Email list deleted after thank-you sent

5. ARCHIVE (day 30 post-event)
   ├─ Attendee data deleted from registration platform
   ├─ Photos archived only if they have separate, multi-year consent
   ├─ Employee event attendance stored in HR/payroll file (tied to employment tenure)
   └─ Compliance audit completed (confirm deletions)

Frequently Asked Questions

Q: We collected attendee emails for “future event invitations.” Is that compliant with Section 4?

A: No. Section 4 purpose limitation requires a specific purpose. “Future event invitations” is too vague—you don’t know which events, when, or what kind. Solution: At registration, state exactly: “We will email you about (1) Event reminders, (2) One post-event thank-you email. We will NOT add you to our newsletter or future event lists without fresh, separate consent.” Then delete the email list after the event. If next year’s event happens, collect new emails with new consent.

Q: Our registration platform (Eventbrite) stores attendee data. Are we liable if they violate Section 4?

A: Yes. Your event platform is a data processor; you are the controller. You are liable for ensuring the processor complies with Section 4 and your instructions. Your DPA with them must include: (1) No use of data beyond your instructions, (2) Deletion on your schedule (e.g., 30 days post-event), (3) Security standards, (4) No sub-processing without approval. If Eventbrite retains attendee data beyond 30 days after your event without your instruction, that’s your breach—you must enforce the contract or switch platforms. Check: Does Eventbrite’s DPA allow 30-day auto-deletion? If not, negotiate it before using them.

Q: Can we take photos at a corporate event without consent?

A: No—not if attendees are identifiable in photos. Photos of named/identified people are personal data. Section 4 lawfulness requires consent. Solution: At registration, add a checkbox: “I consent to photos being taken and used for {specific purpose: company blog, internal newsletter, LinkedIn}. Photos will be deleted after {timeframe: 30 days, 90 days, or 1 year}.” If attendee doesn’t check, don’t photograph them, or blur/anonymize them. Employees can be assumed to consent for internal comms (state in pre-event memo); externals need explicit checkbox.

Q: We want to email attendees 6 months after the event to invite them to next year’s event. Is that allowed under Section 4?

A: No. Section 4 storage limitation means once the event purpose is served (typically 30 days post-event), the data should be deleted. Retaining attendee emails for 6 months to “invite them next year” violates storage limitation (no stated purpose at collection time) and purpose limitation (reusing data for a new event without fresh consent). Solution: Delete attendee data 30 days after Event A. When Event B is planned, run a new registration and collect new consent. This is twice the registration effort, but it’s Section 4 compliant.

Q: We collected employee attendance at a corporate event. Can we use that data for HR appraisals (“showed up to teambuilding”)?

A: Yes, but with care. Employee attendance data is tied to employment, so Section 4 lawfulness is covered by the employment relationship. However, Section 4 purpose limitation and accuracy apply: If attendance was collected for “event logistics,” using it for “appraisal scoring” is a secondary purpose. Solution: At the event, state the purpose broadly: “Attendance data will be stored for event coordination, HR records, and company culture tracking.” This covers both logistics and appraisal use. Do NOT use event attendance for punitive purposes (e.g., “attendance determines pay”) without explicit employee notice and consent.

Q: If we use a video recording consent form at our event, does that override Section 4 storage limitation?

A: No. Consent allows you to process data (record video); storage limitation still applies. If the form says “Videos will be deleted after 6 months,” you must delete after 6 months even if consent was obtained. If you want to keep videos longer, you need explicit, separate consent stating the longer timeframe. Section 4 requires that the purpose AND retention period are stated upfront. Solution: Video consent form should state: “Videos will be used for {purpose: internal training, public social media}. Retained for {timeframe: 6 months, 1 year, permanently}. By consenting, you agree to this retention period.” This satisfies storage limitation (specified at consent time) and lawfulness (clear disclosure).

DPDPA Section 4 principles employee dataCorporate event attendee data complianceEmployee data handling DPDPAData minimization corporate eventsDPDPA lawfulness of processingCorporate event consent DPDPAEvent registration data protection India
VERIFIED DPDPAReady Editorial Desk 9 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →