Participant Timing Data & DPDPA Section 4: What Marathon Organizers Must Protect
| Applies to | Marathon organizers, sports event companies, running clubs, and half-marathon operators in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | Up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
The Case of FitRace Mumbai 2026: Understanding DPDPA Section 4 Personal Data
FitRace Mumbai is a premier half-marathon attracting 15,000 runners annually. For the 2026 edition, the organizers faced a silent compliance crisis: they were collecting personal data on every participant but had no formal process documenting which data points triggered DPDPA protection under Section 4.
What Counts as “Personal Data” Under Section 4?
Section 4 of the Digital Personal Data Protection Act, 2023 defines the scope of personal data regulated by the Act. The Act explicitly states:
“Personal Data means any information relating to an identified or identifiable natural person.”
For FitRace Mumbai, this definition proved broader than expected. Eight data categories immediately triggered Section 4 compliance:
- Obvious data: Names, emails, phone numbers, addresses (clearly identifiable)
- Medical data: Asthma history, allergies, cardiac conditions (health-related = regulated)
- Biometric data: Timing chip recordings, race photos, video footage
- Financial data: Credit card details, payment transaction IDs
- Behavioral data: Pace history, previous race finishes, withdrawal records
- Contact tracers: Emergency contact names and phone numbers
- Preferences: Age category, preferred merchandise sizes (linked to individual)
- IP logs: Website login data, app usage timestamps
Under Section 4, any of these qualifies as personal data because they relate to an identified or identifiable individual. The Act does not distinguish by sensitivity—Section 4 includes everything from bib numbers to medical conditions.
The Penalty Exposure: Why Negligence Costs ₹150 Crore
FitRace’s data manager initially thought, “It’s just race times and emails—how bad can it be?” That thinking exposed them to massive liability.
Section 4 compliance failures—particularly when an organizer collects personal data without properly identifying or classifying it—fall under the notice and grounds breach category, carrying penalties up to ₹150 crore per violation.
The risk chain runs deep:
- Year 1: FitRace collects 15,000 × 8+ data points = 120,000+ personal data records
- No audit: No documentation of what qualifies as personal data under Section 4
- Breach incident: Timing chip data leaked; 5,000 participants’ names, ages, medical conditions exposed
- DPDP Authority investigation: Confirms FitRace failed to even identify personal data under Section 4
- Penalty assessment: ₹150 crore fine + reputational collapse + civil claims from participants
A single marathon’s data mishandling can trigger the full ₹150 crore exposure because Section 4 breaches are not scaled by business size—the Act applies uniformly to all data controllers.
How Section 4 Requires You to Structure Your Data Handling
Section 4 does not just define personal data—it creates three operational obligations that cascade through your entire business.
1. Classification Obligation
You must formally identify which data you collect qualifies as personal data under Section 4. FitRace implemented:
- A data inventory spreadsheet listing every field collected in registration, timing systems, payment, and third-party integrations
- A “Section 4 Classification” column marking each as personal data (Yes/No)
- Written justification for edge cases (e.g., “Is preferred race bib color personal data?” Answer: Only if linked to the runner’s identity in your database)
2. Scope Boundary: Identifiable vs. Identified
Section 4’s definition includes identifiable natural persons, not just identified ones. This distinction caught FitRace off-guard:
- Anonymized timing data (no name) + race bib number + publicly posted finishing times = identifiable (someone could link bib to name via social media). Result: Still personal data.
- De-identified health survey (no name, no ID, merged with 500+ runners) = NOT identifiable if technically irreversible. Result: Not personal data if truly anonymized.
- Shoe preference alone (no name, no race number) = Not identifiable. Result: Not personal data.
FitRace’s mistake: They stored shoe type + running pace + email in the same database. The combination made shoe type personal data under Section 4 because it was linked to an identifiable individual.
3. Purpose Linkage
Data is personal under Section 4 only when related to identifying a person in the context of that specific purpose. For marathons:
- Race bib + timings + email in a CRM = Clearly personal data (linked identifier)
- Race bib + timings alone in an anonymized results feed = Borderline (could be non-personal if truly de-identified)
- Shoe type without any identifier = Not personal data
Section 4 Compliance Checklist for Marathon Organizers
- Data Inventory: List every field your registration form, timing system, payment processor, and sponsor integrations collect
- Classification: Mark each field as personal data under Section 4 (Yes/No) with written justification
- Pseudonymization audit: Confirm you’re not accidentally creating identifiable records through data linkage across systems
- Retention policy: Document how long each personal data category is retained post-event
- Third-party review: Have a lawyer review your Section 4 classification—edge cases are common and costly
- Participant transparency: Your registration page must disclose (per Section 4 scope requirements) what personal data you collect, why, and for how long
- Vendor audit: Ensure payment processors, timing chip providers, and email platforms classify data correctly and comply with Section 4 downstream obligations
- Breach protocol: Document what you will do if personal data under Section 4 is exposed (notification, Authority reporting, etc.)
Real-World Cost of Section 4 Ignorance
FitRace’s correction cost (after they got serious about compliance): ₹18 lakhs for data governance software, ₹8 lakhs for legal review, 2 months of operational friction. Their near-miss with a DPDP Authority complaint would have cost them ₹150 crore.
For smaller marathons (5,000 runners), the same Section 4 breach carries the same ₹150 crore penalty. The Act does not scale liability by revenue or event size—only by the scope of personal data you control. A 5,000-runner half-marathon faces equal exposure to a 50,000-runner mega-marathon if both misclassify Section 4 personal data.
What Happens After You Classify Data Under Section 4?
Correctly identifying personal data under Section 4 is just the beginning. Your classification decisions force downstream compliance across the entire Act:
- Section 6: You need a lawful basis for processing (consent, contract, or legitimate purpose)—data classification determines which basis applies
- Section 8: You must protect personal data with security measures proportional to the data’s sensitivity under Section 4
- Section 10: You must erase personal data within retention limits you set based on Section 4 scope
- Section 12: Participants have right-to-erasure claims rooted in Section 4’s definition
Misclassifying data under Section 4 cascades into violations across Sections 6–12 and multiplies your penalty exposure.
Frequently Asked Questions
Q: Are race bib numbers personal data under DPDPA Section 4? A: Only if they can be linked to an identified or identifiable person. Bib numbers alone (e.g., #4521 with no name) are not personal data under Section 4. But bib numbers published on a public results page together with names, times, and age groups ARE personal data because someone could identify the individual. If you publish results online, treat bib + name + time as personal data and ensure you have consent (Section 6) or a lawful basis for processing.
Q: What about anonymous race statistics—are those personal data under Section 4? A: Not if they’re truly anonymized (irreversibly de-identified per Section 4 standards). Example: “Average finish time: 45 minutes” aggregated across 10,000 runners = not personal data. But “Runner in age category 30-35, wears Nike shoes, average pace 6:30/km” with only 50 runners matching that profile = likely personal data under Section 4 because re-identification is possible. When in doubt, apply the Section 4 definition: if an individual could be identified through data combination, it’s personal data.
Q: Does DPDPA Section 4 apply when corporate sponsors collect runner data? A: Yes. If a sponsor (e.g., a running shoe brand) receives participant names, emails, or shoe size preferences through marathon registration, that data is personal data under Section 4 unless participants explicitly consent to sponsor data sharing. Many marathons incur ₹150 crore exposure by negligently passing participant personal data to sponsors without disclosing it in the privacy policy or registration terms.
Q: Can we collect health data (allergies, asthma, cardiac conditions) and stay compliant with Section 4? A: Yes, but you must formally classify it as personal data under Section 4 and document your lawful basis (e.g., contract necessity for participant safety, or explicit written consent). Simply saying “for medical emergencies” in your T&Cs is not sufficient. Health data is inherently sensitive under Section 4, and the DPDP Authority expects written, granular consent or a clear contractual clause stating health data collection, storage duration, and use.
Q: How long can we retain participant personal data under DPDPA Section 4? A: Section 4 defines the scope of personal data but does not directly mandate retention periods. However, once you classify data as personal data under Section 4, Section 10 requires you to erase it when the purpose ends. For marathons: runner names, emails, race times, and medical data should typically be erased 12 months after the event (or per your stated privacy policy) unless the participant opts into a recurring mailing list with explicit, fresh consent. Document your retention policy and stick to it—retention periods must align with Section 4 scope.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →