✓ Link copied
DPDPA 2023 Compliance

Trade Show Data Deletion: Section 12 Erasure Rights for 4 Attendee Scenarios

Applies toTrade show organizers, exhibition management companies, and event ticketing platforms operating in India
Primary lawDPDPA 2023 · Section 12
Penalty ceilingup to ₹200 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

Compliant vs. Non-Compliant Erasure Handling in Trade Shows

Section 12 mandates that Data Fiduciaries honor erasure requests where data is no longer necessary for the stated purpose. For trade shows, this is where most organizers stumble.

The non-compliant organizer receives an attendee deletion request and ignores it because they claim the data is useful for “future event marketing.” Under Section 12, this is grounds for enforcement action.

The compliant organizer processes the request within 30 days, removes the attendee from all active systems (registration database, email lists, lead databases), and confirms deletion in writing—unless a legal hold applies (e.g., GST/financial records retention laws, contract disputes).

ScenarioNon-Compliant ApproachSection 12 Compliant Approach
Registration data”We never delete registrations; they’re in archive.”Delete on request unless retained for tax (7 years) or ongoing contracts.
Photography/videoUse attendee images in promotional content despite deletion request.Stop all use of photos/video; archive only if consent was explicit and ongoing.
Vendor lead listVendor purchased attendee list; treat vendor data as separate.Vendor list is still your (organizer’s) data. Honor deletion or face liability.
Post-event follow-upEmail attendee 6 months later despite prior deletion request.Stop all communications and remove from CRM within 30 days of request.

Four Real Scenarios Under Section 12

Scenario 1: The E-Commerce Expo Organizer (₹50 Lakh Exposure)

Situation: Mid-sized e-commerce trade show gets 3,000 registrations annually. Six months after the event, an attendee emails: “I want my data deleted. I don’t want you marketing future shows to me.”

Wrong move: Reply says, “Your data is archived for 2 years for tax purposes; we can’t delete it.” Result: attendee files DPDPA complaint. Regulator sees no legal hold justification (registration tax records ≠ registration personal data). Penalty risk: ₹200 crore.

Right move: Within 30 days, (1) Delete attendee record from registration system. (2) Remove from email marketing list. (3) Notify vendors that purchased the lead list that this attendee withdrew consent. (4) Document the deletion with date and method. (5) Retain only financial transaction record (invoice, GST) but anonymize the attendee’s name/contact in that record if possible.


Scenario 2: The Photo Rights Confusion at Tech Exhibitions

Situation: Organizer photographed 500 attendees at a 3-day conference. Photos were posted on the event website and LinkedIn. One attendee requests deletion: “Remove my photos and data.”

Wrong move: “Your face is already published; data deletion doesn’t cover photos.” Legally flawed under Section 12 and separate privacy law (right to be forgotten). Photo removal ≠ data erasure, but they’re linked.

Right move: (1) Honor the data deletion request (registration, badge data). (2) Separately, treat the photo as a personal data asset under Section 12 and remove it within 30 days from public channels (website, social media). (3) Archive version only if there was explicit ongoing consent for archival. (4) Notify any third parties (media partners, sponsors) who received the photo that this attendee’s image must be removed.


Scenario 3: The Vendor Data Resale Issue

Situation: Trade show collects attendee data, sells the list to 10 vendors (tech recruiters, service providers). One attendee discovers their data on a vendor’s outreach call and requests deletion from the original organizer.

Wrong move: “We sold the data; vendor owns it now. Deletion request goes to them.”

Why it fails: Under Section 12, you (the organizer) are the Data Fiduciary. You collected the data with implicit or explicit purpose. When an attendee asks you to erase it, you must either (a) comply, or (b) prove retention is legally required. Vendor ownership doesn’t override this.

Right move: (1) Delete from your own systems within 30 days. (2) Notify all vendors in writing that this person withdrew consent; vendors must also delete or face their own Section 12 liability. (3) Document the notice. (4) If a vendor refuses, you may become liable as the original fiduciary for not enforcing deletion with third parties.


Scenario 4: Correction Request for Wrong Email

Situation: Attendee registered with typo: “shiva@gmial.com” instead of “shiva@gmail.com.” Event is 2 weeks away. They request correction but organizer delays updating the system.

Right move (Section 12 correction clause): (1) Within 7 days, update the email in all systems. (2) Notify the attendee confirmation of correction. (3) Resend any critical event updates to the corrected email. Failure to correct in reasonable time is a Section 12 violation.


Section 12 Rights: Word-for-Word from the Act

Section 12(1): The Data Principal shall have the right to correct personal data that is inaccurate, incomplete, or out-of-date; and the Data Fiduciary shall comply with such request within thirty days or such other period as may be specified by the Board.

Section 12(2): The Data Principal shall have the right to erase personal data if it is no longer necessary for the purpose for which it was collected or processed, and the Data Fiduciary shall comply with such request unless retention is required by law.

What this means for trade shows:

  • Correction: Typos, outdated job titles, wrong phone numbers must be fixed within 30 days on request.
  • Erasure: Post-event, if attendee says “don’t contact me again,” you must delete within 30 days unless tax law (GST) or a contract dispute requires retention.
  • “Unless” clause: Financial records (invoices for payment), regulatory holds (fraud investigation), or contract disputes are the only exceptions. Marketing lists don’t qualify.

Practical Compliance Checklist for Exhibition Organizers

  1. Registration System Audit — Can your system delete a record with one click, or is it buried in legacy code? If buried, prioritize system upgrade.
  2. Vendor Notification Template — Draft a letter to send to vendors when an attendee requests deletion, stating they must delete within 15 days.
  3. Photography Consent Form — At check-in, ask: “May we use your photo in promotional materials?” Only use photos from attendees who say yes. Deletion requests automatically trigger photo removal.
  4. Data Retention Policy — Document which data you keep and for how long: registration (30 days post-event), financial records (7 years per GST), photos (only with consent, deleted on request).
  5. Deletion Confirmation Letter — When you delete, send the attendee a signed letter listing what was deleted and the date—proof you complied within 30 days.
  6. Third-Party Vendor Agreements — Add a clause: “Vendor must delete attendee data within 15 days of organizer notification that attendee withdrew consent.”
  7. CRM and Email System — Remove deleted attendees from all active campaigns and leads lists; archive-only records must be anonymized.

Key Penalties and Enforcement

The Data Protection Board can issue orders under Section 12(3) requiring deletion and compensation if:

  • You fail to delete within 30 days.
  • You continue to use or share data after deletion.
  • You claim a spurious “legal hold” to avoid deletion.

Penalties reach ₹200 crore for willful or negligent violations. Even a single attendee complaint, if upheld, can trigger this.


Frequently Asked Questions

Q: If an attendee deletes their data, do I have to tell the vendors who bought the list?

A: Yes. Under Section 12 and the principle of fiduciary accountability, you must notify vendors in writing that the attendee has withdrawn consent and must be deleted. Many organizers skip this and face enforcement risk. Include a 15-day deadline for vendor confirmation of deletion.

Q: Can I keep attendee data for “future event marketing”?

A: No, not without explicit separate consent. Section 12 requires data to be necessary for the stated purpose (the event they attended). A generic “we may contact you about future events” at sign-up is weak. If an attendee later asks for deletion and you’ve already marketed the next event to them without separate consent, you’re in breach.

Q: How long should I retain attendee registration data after the event ends?

A: Section 12 doesn’t specify a timeline; it’s purpose-driven. If the event is over and you have no ongoing contract or post-event warranty, retain registration data for only 30 days unless the attendee opts in to future marketing. Financial records (for GST/tax) can stay 7 years but must be anonymized (name/email separated from invoice number).

Q: What if an attendee’s photo was already published on social media and they request deletion?

A: Delete from your active channels (website, LinkedIn, event site) within 30 days under Section 12. Published posts on third-party platforms (attendee’s own Facebook share, news articles) are outside your direct control, but you must stop your distribution. Document your deletion steps in case of an audit.

Q: If a vendor refuses to delete data after I notify them, am I liable?

A: Partial. You bear initial responsibility as the original fiduciary. If you’ve documented your deletion request to the vendor with a deadline and they refuse without legal justification, report the vendor to the Board separately. Your documented effort shields you partially, but best practice is to contractually bind vendors to deletion clauses before you sell them data.

trade show attendee data deletion DPDPAexhibition registration erasure rights Section 12DPDPA compliance trade show organizers Indiaattendee data correction Section 12 trade showsexhibition data retention period India DPDPAtrade show photography consent Section 12 rightsvendor list data deletion Section 12 exhibitions
VERIFIED DPDPAReady Editorial Desk 25 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →