✓ Link copied
DPDPA 2023 Compliance

9 Critical Data Rights Under Section 12: Glossary for 100,000+ Marathon Participants

Applies toMarathon organizers, sports event management companies, and race registration platforms handling 10,000+ participants annually across India
Primary lawDPDPA 2023 · Section 12
Penalty ceilingup to ₹200 crore
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

Understanding Section 12: The Data Principal’s Right to Correction and Erasure

For marathon organizers, sports event coordinators, and race management platforms, participant data is mission-critical. Registration numbers, payment details, emergency contacts, medical history, GPS tracking data, and performance records flow into your systems daily. But participants retain statutory rights to those records—rights codified in Section 12 of the Digital Personal Data Protection Act, 2023. Mishandling these rights creates operational friction, legal exposure, and reputational damage. This glossary defines the key obligations and terminology that govern how you must handle data correction and erasure requests from the 50,000+ runners across a typical marathon circuit.

What Does Section 12 Say?

Section 12 of the DPDPA establishes the legal foundation for data principals’ rights:

“A Data Principal shall have the right to request a Data Fiduciary to correct, complete, update, or erase personal data, in accordance with the provisions of this Act. A Data Fiduciary shall comply with such a request unless retention of personal data is required by law.”

For a marathon organizer, this translates into a non-negotiable obligation: when a runner asks you to fix their recorded bib number, correct their emergency contact, or delete their participant file after the event, you must act—unless legal retention rules (tax law, anti-fraud obligations, contractual records) require you to keep the data.

Section 12 Glossary: Essential Definitions for Sports Event Compliance

Right to Correction

Definition: A data principal’s statutory right to demand that inaccurate personal data be fixed. Under Section 12, a marathon organizer must update participant records when runners report errors.

Sports Event Context: A runner provides a corrected phone number after registration closes. Their medical allergy history was entered as “shellfish” instead of “shellfish + peanuts.” Their recorded marathon time is flagged as incorrect by the athlete. Under Section 12, you must process these corrections—typically within 30 days, based on regulatory guidance. Failing to correct known inaccuracies exposes you to data breach liability if that incorrect data is later misused or shared externally.

Right to Erasure

Definition: A data principal’s right to request permanent deletion of personal data when it no longer serves the stated purpose. Under Section 12, erasure requests must be honored unless law mandates retention.

Sports Event Context: Post-marathon, a casual participant requests deletion of all records—registration form, timing data, photos, contact details—because they don’t plan to run again and don’t want their data retained. You must delete it. However, if that participant won an award or placed in top rankings, tax records linking the award prize to their identity may need to be retained for 7 years under income law. That legal retention exception applies narrowly; all other data must be erased. Failure to erase when obligated is a Section 12 breach, triggering audit liability and reputational fallout.

Data Accuracy Requirement

Definition: The obligation to ensure that personal data maintained about a data principal is factually correct and not misleading. Section 12 presupposes accuracy as a baseline; correction rights exist because accuracy sometimes fails.

Sports Event Context: Your race management system auto-calculates marathon split times. If a sensor malfunction records a runner’s 10 km checkpoint time as 2:15 instead of 1:15, that inaccuracy can distort their personal records and affect their self-perception of performance. Runners can demand correction. More critically, if you’ve published or shared that inaccurate timing data with coaching platforms, media partners, or social media leaderboards, the damage ripples. Section 12 compliance requires audit trails showing when corrections were made, why, and proof that shared data was updated downstream.

Definition: Legal or contractual grounds that permit a data fiduciary to retain personal data despite a data principal’s erasure request. These exceptions are narrow and specific. Section 12 permits retention only when mandated by law.

Sports Event Context: Scenarios where you must retain participant data despite erasure requests:

  • Anti-doping records: If your event includes doping tests, anti-doping agencies may mandate 8-10 year retention for anti-fraud purposes.
  • Tax and prize records: Prize money, sponsor payments, or event merchandise transactions create tax reporting obligations; records must be kept per Income Tax Act, 1961.
  • Insurance and liability: Participant injury claims create a 3-year statute of limitations for tort liability; records must be retained.
  • Event repeatability: If a runner won an award in a prior edition and disputes eligibility for the current year, historical records prevent duplicate awards.

Any retention claim beyond these narrow legal hooks is indefensible; erasure must follow.

Legitimate Reason for Retention

Definition: A legal, regulatory, or contractual necessity that justifies keeping personal data longer than the stated initial purpose. Requires written documentation and is subject to Section 12 challenge.

Sports Event Context: A marathon organizer retains participant health histories (medical conditions, medications) beyond the event for “future event coordination.” A runner requests deletion. You argue: “We need to recognize returning runners and prevent duplicate medical screening.” This is not a legitimate reason under Section 12. The original stated purpose (“safe event coordination for this marathon”) has been fulfilled. Keeping it for hypothetical future events that the runner never agreed to is purpose creep and triggers an erasure obligation.

Actual legitimate reasons include:

  • Statutory obligation (tax law, anti-doping rules).
  • Contractual necessity (sponsor agreements requiring audit trails).
  • Legal defense (injury claims require contemporaneous medical records).

Data Fiduciary Responsibility

Definition: Your legal status as the entity collecting and controlling participant data. Under Section 12, data fiduciaries must have processes to receive, verify, and execute correction and erasure requests within defined timelines.

Sports Event Context: You, the marathon organizer (or your registration vendor, if outsourced), are the data fiduciary. This means:

  • You must designate a contact point for data requests (email, form, phone).
  • You must acknowledge requests within 5 business days.
  • You must complete correction or erasure within 30 days (DPDPA timeline).
  • You must document every request, action taken, and reason for any denial.
  • You must notify third parties (timing chip vendors, leaderboard platforms, media partners) if their systems hold copies of the data being erased.

Non-compliance is your liability, not your vendor’s, unless a vendor contract explicitly shifts responsibility.

Implementing Section 12 Compliance in Your Marathon

  1. Establish a Data Request Intake Process Create a publicly accessible channel (email alias, online form, phone line) where runners can submit correction and erasure requests. Train staff to log every request with a timestamp and unique reference number.

  2. Audit Your Data Systems Document every system holding participant data: registration database, timing chip platform, photo library, leaderboard website, email lists, sponsor dashboards, insurance forms. Map which data is in each system and who has access.

  3. Define Retention Rules in Writing For every data category (names, contact info, medical history, performance times, photos), write down why you’re keeping it and for how long. Flag categories where a legal retention exception applies; require proof.

  4. Create a Data Request Template When a runner requests correction or erasure, use a standardized form capturing: their name, request type (correction or erasure), data items affected, and reason (optional). This creates an audit trail for regulatory review.

  5. Set a Correction/Erasure Turnaround SLA Commit to a 30-day maximum response time. For correction requests, specify how you’ll verify the new information. For erasure, list all downstream systems where data must also be deleted.

  6. Test Downstream Data Flow If you share timing data with sports apps, leaderboard platforms, or media partners, ensure your data deletion protocols cascade. An erased runner should not reappear on third-party leaderboards.

  7. Document Denials If you deny an erasure request (because retention is legally required), send the runner a written explanation citing the specific law or regulation. Keep this denial memo for 3 years; it’s your defense if audited.

  8. Train Your Team Staff handling registrations, medical screening, and customer service must understand that Section 12 requests are statutory obligations, not optional. A delayed response or dismissive tone creates legal and PR risk.

Frequently Asked Questions

Q: A marathoner asks me to delete their race bib number and timing data. Do I have to comply?

A: Yes, under Section 12, provided no legal retention exception applies. If the event has concluded and no tax, anti-doping, or liability claim is pending, deletion is mandatory. The stated purpose of collecting that data (event coordination) is satisfied. Retention for “future event history” is not a valid Section 12 exception. Process the request within 30 days and confirm completion in writing.

Q: Can I charge a fee for handling a Section 12 correction or erasure request?

A: No. Section 12 rights are statutory, not services. Charging for request processing—or threatening to charge—is non-compliant. You may charge only if the request is manifestly unfounded, excessive, or repetitive; even then, the burden of proof is yours and must be documented. For routine requests, no fee is permitted under DPDPA guidance.

Q: A sponsor insists we share the race leaderboard with their digital platform. A runner later requests erasure. Who is liable if the sponsor’s platform doesn’t delete the data?

A: Both you and the sponsor are liable. You are the primary data fiduciary; you initiated the data sharing. Section 12 imposes a duty on you to ensure downstream systems honor erasure requests. Before sharing leaderboard data with a sponsor, ensure a data-processing agreement (DPA) is in place requiring the sponsor to honor deletions within 15 days of your notification. Document that the sponsor has confirmed receipt and deletion. If they don’t comply, you remain liable to the runner, and you may face regulatory action for failing to enforce downstream compliance.

Q: How long must I retain participant health data (allergies, medical conditions) after the marathon ends?

A: Only as long as legally required. If a participant suffers an injury during the race and files a liability claim within 3 years, retain their health history to defend that claim. After the claim is resolved or the 3-year statute expires, erasure is mandatory under Section 12 unless another legal obligation (e.g., insurance policy, anti-doping rule) mandates longer retention. Document your retention rationale in writing; a runner’s erasure request should trigger a review of whether that legal ground still applies.

Q: Can I anonymize participant data instead of erasing it to avoid losing insights for next year’s event?

A: Anonymization is not erasure, but it must be irreversible and verifiable. If you anonymize a runner’s data (remove name, ID, contact info, replace it with a pseudonym), that’s compliant only if the anonymization is cryptographically secure and you’ve documented that re-identification is technically impossible. In practice, most event platforms cannot guarantee this level of anonymization. Safer approach: retain anonymized aggregate insights (e.g., “average race time was 4:35”) without linking to any individual participant. For individual data that cannot be anonymized securely, erasure is the compliant choice.

Q: A runner’s profile shows they ran in 2023 and 2024. They request erasure of their 2024 data but not 2023. Do I have to honor a partial erasure?

A: Yes. Section 12 grants the right to erasure of “personal data” that no longer serves its stated purpose. If the 2023 data is retained for a valid legal reason (e.g., past-year award records or tax records for a prize) and the 2024 data is not, you must separate them and erase only 2024. This requires granular data architecture: ability to delete one year’s records without orphaning prior years. Plan your database schema to enable this level of selective deletion.

Section 12 DPDPA right to correctionMarathon participant data deletion rightsSports event data erasure obligations IndiaDPDPA right to erasure for runnersData accuracy requirements marathonsSection 12 retention obligations sportsParticipant data cleanup DPDPA 2023
VERIFIED DPDPAReady Editorial Desk 23 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →