Corporate Event & HR Data: Handle Section 12 Corrections in 30 Days
| Applies to | Corporate event organizers, HR departments, and employee management firms operating in India |
| Primary law | DPDPA 2023 · Section 12 |
| Penalty ceiling | up to ₹200 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
The Full Text of Section 12: Right to Correction and Erasure
Section 12 of the DPDPA 2023 grants Data Principals the right to request correction, completion, updating, or erasure of their personal data. Here is the operative language:
Section 12 — Right to Correction and Erasure
(1) A Data Principal may request a Data Fiduciary to correct inaccurate personal data, complete incomplete personal data, update personal data, or erase personal data that is no longer necessary for the purpose for which it was collected or processed.
(2) A Data Fiduciary shall, within thirty days of receiving such a request, take such steps as are necessary to comply with the request, unless the retention of such personal data is required or authorised by any other law for the time being in force.
Clause-by-Clause Breakdown
Right to correct inaccurate data: If an employee’s record contains a wrong phone number, incorrect designation, or misspelled name, they have a statutory right to demand correction. For event organizers, this means attendee registrations may contain typos or outdated contact information that must be corrected on request.
Right to complete incomplete data: If a registration form was submitted with only a first name (no last name) or no email, the Data Principal can demand that you complete the record. This is especially relevant for event forms where attendees may skip optional fields.
Right to update personal data: Data ages. An employee’s department changes; an event attendee’s phone number changes; a contractor’s contract end date passes. The Data Principal can demand that you refresh stale data to reflect current reality.
Right to erase data no longer necessary: Once an event ends and attendance has been recorded, are you still retaining attendee phone numbers? Once an employee departs, are you still storing their performance reviews in an active file? Section 12 says erasure is mandatory if data is “no longer necessary for the purpose for which it was collected.”
30-day compliance window: You have exactly 30 days from receipt of a written or electronic request. No extensions. No delays.
Retention carve-out: The only exception is if another law requires you to keep the data (e.g., labour law mandates 3 years of payroll records; IT Act rules require server logs; company law requires statutory documents). You must cite the specific law to refuse an erasure request.
Why Section 12 Poses Distinct Risk for Corporate Events & HR Teams
Unlike IT departments or e-commerce platforms, corporate event organizers and HR teams face a compressed risk window. An employee departure or an event conclusion triggers multiple erasure requests simultaneously—and you must respond within 30 days to each.
Example pressure points:
- An employee resigns: they request deletion of their training records, performance reviews, personal phone numbers, and dietary preferences from your event management system. You have 30 days.
- A corporate event concludes: 500 attendees request erasure of their contact details from the registration database. You have 30 days per request or face penalties up to ₹200 crore.
- A contractor’s term ends: they demand deletion of their hourly timesheets, assigned tasks, and communication logs. Failure to comply = ₹200 crore exposure.
The challenge is compounded by integration—your HRIS system, event management platform, email lists, and document storage may all hold copies of the same person’s data. Correcting or erasing it in the database is not enough; you must trace and update every system within the 30-day window.
Common data silos in corporate events & HR:
- HRIS databases (SAP, Workday, ADP)
- Email and calendar archives (Gmail, Outlook)
- Event management platforms (Splash, Bizzabo, Eventbrite)
- Document storage (Google Drive, SharePoint, physical filing)
- Third-party integrations (payroll, benefits, ATS systems)
- Backup systems and disaster recovery files
Each holds a copy of the Data Principal’s personal information, and Section 12 requires deletion from all of them within 30 days.
Mapping Section 12 to Corporate Events & HR Data Categories
Employee & Contractor Data
- Personal identifiers (name, employee ID, passport/Aadhaar if collected)
- Contact information (work email, phone, home address, emergency contact)
- Biometric data (fingerprint for access control, facial recognition for attendance)
- Performance data (appraisal scores, annual reviews, promotion history)
- Payroll & tax data (salary slips, bank account, PAN, Form 16)
- Leave and attendance records
- Training and certification records
- Disciplinary records
Event Attendee Data
- Registration form data (name, email, company, designation, phone)
- RSVP status and event history
- Dietary preferences and accessibility requirements
- Event photography and video footage (if personal data)
- Ticket/pass information and entry logs
- Post-event survey responses
- Mailing list opt-ins
Vendor & Contractor Data
- Business contact information
- Invoice and payment details
- Contract documents (often containing personal data of signatories)
- Background check results (if conducted)
- Non-disclosure agreement signatures
Each category has a different retention justification and a different erasure timeline. A recruiter may need to retain a rejected candidate’s resume for 1 year (to avoid re-screening the same person). But once 1 year has elapsed, Section 12 makes erasure mandatory on request.
How to Comply: 7-Step Framework for Data Correction & Erasure Requests
-
Establish a Request Intake Mechanism
- Create a dedicated email (e.g., dpo@events-company.com or datarights@hr-team.in) for Section 12 requests
- Document the date and time you receive every request
- Send an automated acknowledgment within 2 business days confirming receipt and your 30-day timeline
-
Authenticate the Requester
- Verify that the person requesting correction/erasure is the Data Principal (not a third party)
- For high-risk data (payroll, disciplinary), require signed written request or email from a verified corporate email account
- For low-risk data (event RSVP), email suffices
-
Trace All Copies
- Map where the data exists: primary system (HRIS, event CRM), backups, email archives, printed documents, contractor systems
- Create a deletion checklist per data type
- For attachments in emails (e.g., an offer letter), document whether deletion is feasible without deleting the email thread itself
-
Classify the Retention Justification
- For each data element, ask: “Does another law require us to keep this?”
- Labour law: 3 years for payroll, 3 years for attendance, 5 years for statutory compliance documents
- IT Act: Server logs may need retention; document the rule
- Company law: Board minutes, shareholder information, director details—retention periods vary
- If no law justifies retention, erasure is mandatory
-
Execute the Correction or Erasure
- For corrections: update the primary system, verify the update propagated to backups, document the change with a timestamp
- For erasure: delete from primary system, delete from backups (or anonymize if backup retention is mandated), purge email archives if possible, destroy printed documents per your document retention policy
- Log the action with timestamp and name of person who performed it
-
Provide Proof of Compliance
- Within 30 days, send the Data Principal a written response (email is sufficient) confirming:
- The specific data that was corrected/erased, or
- If you refused, the specific law that justified retention (cite section and act name)
- Provide a copy of any correction made (e.g., “We corrected your phone number from +91 98765 43210 to +91 98765 43211”)
- Within 30 days, send the Data Principal a written response (email is sufficient) confirming:
-
Retain Compliance Records
- Keep records of the request, the action taken, and proof of response for at least 1 year
- These records are your defence if a penalty investigation occurs
- Redact the Data Principal’s personal data in these records to avoid creating new personal data unnecessarily
Real-World Scenarios for Corporate Events & HR
Scenario A: Employee Departure with Training Records
Anil, a senior project manager, resigns from an IT consulting firm. He requests erasure of all personal data, including training certificates he completed while employed (technical certifications, compliance training, soft skills workshops).
What Section 12 requires:
- Payroll records, tax documents, and statutory compliance records → retain for 3 years per labour law
- Training certificates → if they are the employee’s intellectual property or if training was external (e.g., AWS certification), the employee can request erasure; the firm has no law requiring retention
- Performance reviews, leave records, disciplinary records → no law mandates retention once employment ends; erasure is mandatory on request within 30 days
Compliance action:
- Delete all training records from the HRIS and email archives (within 30 days)
- Retain payroll and tax records for 3 years (with legal justification provided to Anil)
- Send Anil written confirmation: “We have erased your performance reviews, training records, and personal contact details from our systems as of [date]. We are retaining your payroll records until [3-year date] as required by Section 2 of the Wages Act and Income Tax Act.”
Scenario B: Event Attendee Data Correction Request
Priya registered for a corporate conference and entered her designation as “Senior Manager.” She was promoted to “Director” 2 weeks before the event. She requests a correction to her badge and the attendee list to reflect her new role.
What Section 12 requires: The previous designation is no longer accurate; correction is not discretionary. You have 30 days.
Compliance action:
- Update the registration database within 2 business days
- Reprint her badge to reflect “Director”
- Update the attendee list/directory if one is being distributed
- Send Priya written confirmation: “We have corrected your designation from Senior Manager to Director in our event records, effective [date].”
Frequently Asked Questions
Q1: Can I retain an employee’s personal data in a “terminated employee archive” indefinitely? A: No. Once employment ends, you can only retain data if a specific law requires it (e.g., labour law for payroll, company law for board-approved documents). Personal contact details, emergency contact numbers, or dietary preferences do not fall under any mandatory retention law. You must erase them within 30 days of the employee’s request unless you can cite a specific statute. Mere business convenience (“we might rehire them someday”) is not a legal justification under Section 12.
Q2: An event attendee requests erasure of their phone number, but our contract with the event sponsor requires us to provide attendee contact details for networking. Can we refuse? A: No. A commercial contract between you and a third party does not override a Data Principal’s statutory right under Section 12. You must erase the attendee’s phone number on request. If your event sponsors require attendee contact information, you must revise your data collection process going forward—e.g., collect contact details separately and only with explicit consent, or use a different mechanism (LinkedIn-based networking instead of email lists). Retaining data against the Data Principal’s will to satisfy a third party’s commercial interest violates Section 12.
Q3: If an employee requests data correction but my HRIS system does not allow historical edits (it only allows overwrite), am I still compliant? A: Yes, if you overwrite the data correctly and document the change. Section 12 requires correction, not preservation of audit trails. However, best practice is to: (1) Correct the primary database immediately, (2) Log the correction in your system audit (name of corrector, timestamp, old value, new value), (3) Send the Data Principal confirmation of the correction. Your system limitation does not excuse non-compliance; you must find a technical or procedural workaround.
Q4: An employee requests erasure of performance reviews from their first year of employment (5 years ago). We have a company policy that performance reviews are kept for 7 years. Does our policy override Section 12? A: No. A company policy does not constitute “law” under Section 12. Only retention mandated by statute (labour law, IT Act, company law, income tax law, etc.) justifies refusal. If no statute requires 7-year retention of performance reviews, you must erase within 30 days. If you believe performance reviews should be retained for business or legal risk reasons, you must obtain explicit legal counsel that a specific statute applies—but company policy alone does not suffice under Section 12.
Q5: We host a large annual corporate event with 2,000 attendees. If 500 attendees submit erasure requests simultaneously, can we ask for an extension beyond 30 days due to volume? A: No. Section 12 does not provide for volume-based extensions. You have 30 days per request, period. To manage volume, you should: (1) Set up batch processing (e.g., “requests submitted on Monday are processed by Friday”), (2) Automate erasure where possible (e.g., bulk deletion of phone numbers from the event CRM), (3) Allocate resources (hire a contractor or reassign staff) to handle the load, (4) Document your process to demonstrate good-faith compliance effort. Operational difficulty does not justify violating the 30-day timeline.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →