✓ Link copied
DPDPA 2023 Compliance

Section 5 DPDPA Notice Requirements: 6 Essential Disclosures for Event Planners

Applies toCorporate event management, HR staffing, and corporate function planning firms collecting attendee and employee personal data in India.
Primary lawDPDPA 2023 · Section 5
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Understanding Section 5 DPDPA: The Itemized Notice Your Event Firm Must Provide

Before a corporate event planner, HR staffing agency, or logistics vendor collects attendee names, email addresses, dietary preferences, or employee information, the DPDPA 2023 requires an explicit, detailed notice. Section 5 of the Act mandates this itemized disclosure — and non-compliance triggers penalties of up to ₹150 crore for notice failures that result in a breach of data subject rights.

This deep dive walks through Section 5’s seven mandatory disclosure elements, how they apply to corporate event and HR businesses, common implementation gaps, and a step-by-step compliance checklist.

What Section 5 Actually Requires

Section 5 of the DPDPA states:

“A Data Fiduciary shall, in such manner and at such time as may be prescribed, provide a notice to the data principal before or at the time of seeking consent, which shall include— (a) the name and contact details of the Data Fiduciary; (b) the purpose for which personal data is being sought; (c) the categories of personal data being sought and the nature thereof; (d) the right to withdraw consent; (e) the right to grievance redressal; (f) the name and contact details of the Grievance Officer; (g) provision for processing personal data in languages specified in the Eighth Schedule to the Constitution.”

For corporate event and HR firms, this is not a checkbox exercise. Each element has direct operational and legal consequences.

Clause-by-Clause Breakdown for Event & HR Businesses

(a) Name and Contact Details of the Data Fiduciary

Who is the Data Fiduciary? In event planning, this is typically the event management company, the corporate HR department (if internal), or the staffing agency collecting the data. Your notice must name the organization legally responsible for the data and provide a working phone number, email, and physical address.

Common gap: Event firms list only a website URL without a physical address or a dedicated contact person. Section 5(a) requires both contact form AND contact details. If your website has an inquiry form but no visible phone number or office address, you are non-compliant.

Action: Publish your legal entity name (not trading name), full office address, phone number (not just an automated line), and email address on your consent form and privacy notice.

(b) Purpose for Which Personal Data Is Being Sought

State clearly why you need the data. For a corporate conference, the purposes might include:

  • Generating attendee badges
  • Sending pre-event logistics emails
  • Catering headcount confirmation
  • Post-event survey and feedback
  • Networking introduction (if attendee opted in)

Do not list vague purposes like “for our records” or “to improve service.” Each purpose must be specific and tied to the event or staffing engagement.

Common gap: HR teams collect employee data for “HR administration” without specifying whether it includes payroll, benefits eligibility, background verification, or internal transfer matching. Section 5 requires itemization by purpose.

Action: Draft a Purposes Table. List each business reason for data collection. Use this table in your consent notice.

(c) Categories of Personal Data and Nature Thereof

Itemize which data fields you will collect. For an event firm:

  • Name, email, phone (direct identifiers)
  • Dietary restrictions, accessibility needs (sensitive data under Rule 2 of the DPDPA Rules)
  • Organization, job title (derived data)
  • IP address, device ID if using check-in apps (technical data)

“Nature thereof” means describing how the data is used or stored — e.g., “email is stored on a secure event platform for 90 days post-event, then deleted.”

Common gap: Event forms ask for “dietary restrictions” without disclosing that this may be stored and shared with caterers (a third-party). Section 5(c) requires clarity on the category and its processing context.

Action: List data fields by type (identifier, sensitive, derived, technical). For each, note retention period and any third-party recipients.

Attendees and employees must know they can withdraw consent at any time. This is non-negotiable under the Act.

For event attendees: “You may withdraw consent to processing by emailing grievance@eventfirm.com. Your data will be deleted within 30 days, except where legal retention applies.”

For employee data: “You may withdraw consent to optional processing (e.g., networking, internal transfer matching) at any time via HR portal or by emailing hr@company.com.”

Common gap: Forms state “consent is required” without offering a clear withdrawal mechanism. This violates Section 5(d).

Action: Add a withdrawal instruction to every consent notice. Test the withdrawal process to ensure it works.

(e) Right to Grievance Redressal

Data subjects must know they can file complaints if their rights are violated. Mention the grievance mechanism briefly here (detailed contact comes in clause (f)).

Action: Add one sentence: “If you believe your personal data rights have been violated, you may file a grievance with our Grievance Officer (contact details below).”

(f) Name and Contact Details of the Grievance Officer

This is a critical operational requirement. You must appoint a named Grievance Officer and publish their details.

For corporate event firms: Grievance Officer could be your Compliance Manager or a dedicated email (grievance@eventfirm.com) with a named individual backing it.

For HR departments: Often the Employee Relations or Compliance Officer.

Common gap: Stating “contact us at support@company.com” without naming a Grievance Officer. Section 5(f) requires a named person or a named role.

Action: Appoint a Grievance Officer by job title. Publish their name (or role + contact email if privacy is a concern). Ensure the role is staffed.

(g) Processing in Languages Specified in the Eighth Schedule

The Eighth Schedule to the Indian Constitution lists 22 official languages (Hindi, English, Tamil, Telugu, Marathi, Gujarati, Urdu, Kannada, Odia, Punjabi, Bengali, Assamese, Maithili, Santali, Sanskrit, Kashmiri, Sindhi, Konkani, Manipuri, Nepali, Bodo, Dogri).

Section 5(g) requires you to provide or facilitate the notice in the language of the data subject if they are a resident of that language region.

For event firms in India: If you hold an event in Tamil Nadu or send notices to Tamil-speaking regions, you should offer notices in Tamil. At minimum, offer English + Hindi + one regional language.

For HR departments: If your workforce includes employees from non-Hindi-speaking states, provide notices in their regional language or English (with an option to request translation).

Common gap: Notices provided in English only, with no option for regional languages. If data subjects are predominantly Hindi or Tamil speakers, this is non-compliant.

Action: Audit your geographic footprint. Provide notices in English, Hindi, and one regional language relevant to your business. Add a line: “This notice is available in [list languages]. Request a translated version by contacting [email].”

Implementation: A 6-Step Compliance Checklist

  1. Identify your Data Fiduciary role. Are you the event firm, the corporate HR team, or a processor acting on behalf of a client? Update your notice with the correct entity name.

  2. Map your purposes. List every reason you collect attendee or employee data. Group by process (registration, catering, HR admin, analytics).

  3. List data categories. For each purpose, specify which fields are collected (name, email, dietary restrictions, IP address). Note the retention period and any third-party recipients.

  4. Add withdrawal and grievance language. Include a sentence on how to withdraw consent and a full Grievance Officer contact (name + email + phone).

  5. Translate key sections. Provide the notice in English + Hindi + one regional language covering your operational regions.

  6. Test and document. Before deploying, test the withdrawal and grievance processes. Keep records of consent responses with timestamps for audit purposes.

Real-World Example: A Corporate Conference Firm

Event: TechConf India 2026 (500 attendees, 8 cities)

Data collected:

  • Name, email, phone, organization, job title (required for badge + communications)
  • Dietary restrictions (for catering)
  • T-shirt size (for giveaways)
  • Networking preferences (for AI-powered attendee matching)
  • Check-in device ID (for real-time analytics)

Section 5 compliance checklist for this firm:

ClauseRequirementImplementation
(a) Data FiduciaryName + contactTechConf Solutions Pvt. Ltd., Bangalore; +91-80-XXXX-XXXX; compliance@techconf.in
(b) PurposesList each reasonBadge generation, pre-event email, catering, giveaway logistics, attendee networking analytics, on-site check-in
(c) CategoriesField-by-field detailName/email/phone (72-hour retention, no third party); dietary/t-shirt (shared with caterer under processor agreement); device ID (deleted post-event)
(d) Right to withdrawMechanism + timeline”Email grievance@techconf.in within 48 hours to withdraw. Data deletion in 14 days.”
(e) Grievance rightOne-line acknowledgment”You have the right to lodge a complaint if your data rights are violated.”
(f) Grievance OfficerName + contactPriya Sharma, Compliance Manager, grievance@techconf.in, +91-80-YYYY-YYYY
(g) LanguagesOffer regional languageNotice in English, Hindi, Tamil, Kannada (8 cities served; translated versions on request)

Common Compliance Pitfalls & How to Avoid Them

Pitfall 1: “We’ll send privacy notice after registration.” Section 5 requires notice before or at the time of seeking consent. If your form collects data before disclosing, you’re non-compliant. Fix: Include consent + privacy details on the registration form itself, not in a follow-up email.

Pitfall 2: “Our consent form says ‘I agree to our Terms’; that covers it.” Section 5 mandates itemized, explicit disclosures of purpose, data categories, rights, and grievance contact. A link to a 5000-word Terms & Conditions page does not satisfy this. Fix: Use a concise, structured consent notice that hits all seven clauses.

Pitfall 3: “We list purposes but lump them together: ‘For business operations.’” Too vague. Section 5(b) requires you to itemize each specific purpose. Fix: Break purposes into separate line items.

Pitfall 4: “Grievance Officer contact is our website URL.” Section 5(f) requires a name and contact details. URLs alone don’t meet this. Fix: Name the Grievance Officer (e.g., “Rajesh Kumar, Grievance Officer”) and provide email + phone.

Pitfall 5: “We’re English-only because we’re a corporate events firm.” If attendees or employees include Hindi, Tamil, or other Eighth Schedule language speakers, Section 5(g) requires accommodation. Fix: Provide notice in English + Hindi + one regional language relevant to your footprint.

Penalties and Risk

A Section 5 violation — failing to provide an itemized notice before seeking consent — can trigger penalties of up to ₹150 crore if the firm’s subsequent data processing breaches the data principal’s rights.

The ladder of consequences:

  1. First violation: Warning + deadline to cure (typically 3 months).
  2. Repeat violation: Penalties up to ₹10 crore + stop-processing orders.
  3. Gross negligence (e.g., no notice at all, then data breach): Penalties up to ₹150 crore.

For event firms with hundreds or thousands of attendees, a single mass-collection without proper Section 5 notice creates exposure proportional to the number of data subjects affected. A breach affecting 10,000 attendees without itemized notice could trigger the full ₹150 crore ceiling.

Frequently Asked Questions

Q: Do we need a separate notice for each event, or one master notice for all events? A: Each event may have different purposes, data categories, and retention timelines. Best practice is a template notice adapted per event (e.g., TechConf 2026 notice vs. HR Summit 2026 notice). A “blanket” notice covering all future events may not meet Section 5’s requirement for clarity on specific purposes and categories for each engagement.

Q: Our vendor (caterer, badge printer) collects some attendee data. Does the vendor need to provide a separate Section 5 notice? A: If your vendor is a third-party recipient of data (not a processor acting under your instruction), then yes — they must provide their own notice disclosing their purposes. If they are a processor under your control, you disclose them in your Section 5(c) notice as a recipient, but only you need to provide the primary notice. Clarify roles in a Data Processing Agreement.

Q: Is the grievance process the same for attendees and internal employees? A: The Section 5 requirement (name and contact of a Grievance Officer) applies to both. However, employee grievance processes may be integrated into your HR system (e.g., an internal portal), while attendee grievances may go to a separate contact. Disclose the relevant process for each data category.

Q: Do we need a physical Grievance Officer or can it be a shared email address? A: The Act does not mandate a full-time role, but Section 5(f) requires a name. Best practice: assign the role to an individual (even if part-time) and publish their name. If using a shared email (e.g., grievance@company.com), back it with a named owner so data subjects know who is accountable.

Q: What happens if we fail to translate our notice into regional languages? A: Section 5(g) requires provision for processing in Eighth Schedule languages. If you operate in Tamil Nadu and attendees are predominantly Tamil speakers, failing to offer a Tamil notice is non-compliant. You may offer English + offer to translate on request, but offering no regional language at all when your user base speaks one is a gap. Offering “translation on request” is defensible; offering nothing is not.

Section 5 DPDPA notice requirements Indiacorporate event data disclosure requirementsHR event planning DPDPA complianceitemized notice before consent DPDPAdata fiduciary disclosure obligationsEighth Schedule DPDPA language requirementsevent management personal data notice
VERIFIED DPDPAReady Editorial Desk 6 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →