✓ Link copied
DPDPA 2023 Compliance

Section 5 Glossary: 6 Consent Notice Terms for Sports Event Organisers

Applies toSports event and marathon organisers operating in India handling participant data
Primary lawDPDPA 2023 · Section 5
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Section 5 mandates that every Data Fiduciary provide an itemised notice to data subjects before or at the time of seeking consent. For sports event and marathon organisers, this notice is the cornerstone of lawful data handling—it tells participants exactly what data you collect, why you collect it, and what rights they have.

The notice is not optional, not a summary, and not buried in a privacy policy. It is the explicit, itemised disclosure that converts data collection into a lawful act under the Digital Personal Data Protection Act.

Section 5 of the DPDPA, 2023: “A Data Fiduciary seeking consent of a data subject shall, at the time of seeking consent, provide to such data subject, notice in writing which shall contain the following particulars: (a) the purpose of collection, processing or transfer of personal data; (b) the categories of personal data; (c) the categories of recipients of personal data; and (d) information concerning the right of the data subject, including the right to lodge a complaint with the Data Protection Board.”


Key Glossary Terms for Section 5 Compliance

1. Itemised Disclosure

Definition: A detailed, line-by-line statement of every material fact about data processing. Not a vague privacy policy—a specific list of what you’re collecting and why, required under Section 5(a)–(d).

For Sports Events: A marathon organiser’s consent notice must itemise:

  • Purpose: “to verify participant identity, calculate race times via timing chip, send post-event results, contact participants for feedback, and arrange race insurance”
  • Data categories: “name, email, phone, date of birth, emergency contact, age-group, T-shirt size, health conditions (asthma, diabetes, allergies), GPS location during race, photographs, payment details”
  • Recipients: “timing system vendor TechTime Ltd, medical staff on course, race insurance provider SafeRun, event photographer, cloud storage provider AWS”
  • Processing duration: “personal data retained for 3 years for results archive; health data deleted within 30 days of event unless medical incident occurred”

A single line saying “we collect personal data for event purposes” is not itemised and fails Section 5. Regulators and data subjects expect granularity.

2. Data Fiduciary

Definition: The entity that decides why and how personal data is processed. Under Section 5, the Data Fiduciary is responsible for drafting the consent notice, obtaining informed consent, and declaring the notice in the prescribed language.

For Sports Events: You (the marathon organizing committee, running club, or event management company) are the Data Fiduciary. Your responsibilities under Section 5:

  • Draft the itemised consent notice
  • Provide it in an Eighth Schedule language (Hindi, Tamil, etc., or English)
  • Obtain explicit consent before collecting any participant data
  • Name the Grievance Officer in the notice
  • Retain proof that the notice was given

Your timing vendor, payment gateway, or photographer are Data Processors—they act on your instructions, but you remain the liable party for the notice.

Definition: The written disclosure required by Section 5 that allows a data subject to make an informed choice. Without a valid Section 5 notice, any consent given is uninformed and legally void.

For Sports Events: Your consent notice might read:

“By registering for the XYZ Marathon, you provide consent to the following data processing:

Purpose: Event logistics (bib assignment, timing, results), participant communication, race insurance, and event feedback surveys.

Data we collect: Name, email address, phone number, date of birth, emergency contact person, age-group, T-shirt size, health conditions (if you declare allergies or medical needs), GPS location data collected via timing chip, photographs taken during the race, payment method (card last 4 digits only).

Who receives your data: Event organizers, our timing provider TechTime Ltd, on-course medical staff, SafeRun Insurance, race photographer, and our cloud provider AWS.

Your rights: You may request access, correction, or deletion of your data within 30 days of the event. Contact our Grievance Officer.

Grievance Officer: Priya Sharma, priya@marathonevent.in, 9876543210.”

This is a valid Section 5 notice—itemised, specific, and enabling informed choice.

4. Grievance Officer

Definition: A designated contact person (name, email, phone) that a Data Fiduciary must nominate and disclose in the Section 5 notice under the right to complain. Participants contact this officer if their data is mishandled; the officer escalates unresolved complaints to the Data Protection Board.

For Sports Events: Section 5(d) requires you to disclose “information concerning the right of the data subject to lodge a complaint with the Data Protection Board.” This includes naming a Grievance Officer within your organization (often the event director, compliance lead, or a designated privacy person).

If a marathon participant’s health data is accidentally shared with a sponsor, or their running times are leaked to a competing event, they contact your Grievance Officer first. If your organization does not respond within a reasonable time, they escalate to the Data Protection Board.

Critical: “Grievance Officer: support@event.com” is not sufficient. Provide a real name and phone number.

5. Eighth Schedule Language

Definition: One of the 22 official languages of India (Hindi, English, Tamil, Telugu, Gujarati, Marathi, Odia, Bengali, Punjabi, Assamese, Urdu, Kannada, Konkani, Maithili, Malayalam, Manipuri, Nepali, Sindhi, Sanskrit, Santali, or Kashmiri). Section 5 requires the consent notice to be in at least one Eighth Schedule language to enable “informed consent.”

For Sports Events: Your Section 5 notice must be available in at least one official Indian language. Best practices:

  • For interstate marathons: Provide in English and one regional language (e.g., English + Hindi for national races)
  • For regional events: Provide in the local language (Tamil for Chennai, Marathi for Mumbai)
  • For online registration: Offer multiple language options; at minimum, English is accepted nationwide

English is in the Eighth Schedule and widely understood, so providing the notice in English alone is compliant—but if your event is in a state with a significant non-English-speaking participant base, adding the regional language removes ambiguity and demonstrates care.

Definition: Certain purposes for which a Data Fiduciary can process data without consent, provided they are declared upfront. For sports events, “performance of a contract” (the race entry agreement) is a legitimate ground for minimal data processing.

For Sports Events: Under Section 5, you must still provide a notice even if you rely on legitimate grounds. The notice must state that you are processing data for a legitimate purpose (e.g., “processing your name, email, and race category to fulfill your entry contract”) and itemise what data is processed under that ground.

Example: A participant’s name and bib number are essential to race operations—you can process these under the legitimate ground of contract performance. But health data (e.g., asthma medication) still requires explicit consent, not contract grounds.


Section 5 Compliance Checklist for Sports Events

Before launching your next marathon or sports event, ensure your consent notice covers all of these mandatory elements:

  1. Purpose (Section 5(a)) — Write out every reason you process data. Not just “race operations” but: “verify entry, assign bibs, time races via GPS and timing chip, send results via email, contact participants for post-event feedback, claim race insurance, and archive results for 3 years.”

  2. Data Categories (Section 5(b)) — List every type of data you collect, even if not all participants provide it. Examples: name, email, phone, date of birth, emergency contact, T-shirt size, age-group, running experience level, medical history (allergies, asthma, diabetes), dietary restrictions (vegetarian, vegan), social media handles for race day shout-outs, payment method, GPS location during race, photographs.

  3. Recipients (Section 5(c)) — Name the third parties who will see participant data. List: timing vendor (e.g., TechTime Ltd), on-course medical team, race insurance company, photographer, sponsors (if they receive any data), cloud storage provider, payment processor, and any sub-contractors.

  4. Data Subject Rights (Section 5(d)) — Inform participants they can request access (see all data you hold), correction (fix errors), deletion (remove data), and portability (receive data in machine-readable form). Specify a deadline: “within 30 days of the race” or “within 45 days of the event.” Name the Grievance Officer and how to contact them.

  5. Grievance Officer Contact — Provide a real name, email, and phone number. Do not leave this blank, do not use a generic support email without a name, and do not list only a postal address. Example: “Grievance Officer: Amit Verma, amit.verma@marathonevent.in, +91 9876543210.”

  6. Language (Eighth Schedule) — Provide the notice in at least one official Indian language. English is safe for national events. If your marathon is in Tamil Nadu, provide Tamil or English; if in Punjab, Punjabi or English. Multi-language notices are best practice but not mandatory.

  7. Processing Duration and Retention — State how long you keep the data. Example: “Personal data is retained for 3 years for results archive and future event communication. Health data is deleted within 30 days of the event unless a medical incident was recorded. Payment data is retained for 1 year for tax and insurance purposes, then deleted.”

  8. Consent Mechanism — Make clear how participants give consent. Checkbox on online registration? Signature on paper waiver? Verbal agreement (not recommended—get written confirmation)? Ensure the consent is freely given, specific, and unambiguous.

Section 5 Penalty: Failure to provide a Section 5 consent notice, or providing a non-compliant notice (missing purpose, recipients, rights, or Grievance Officer), violates Section 5 of the DPDPA. The Data Protection Board can impose penalties up to ₹150 crore for large-scale or systematic breaches of the notice requirement, particularly if many participants were not given proper notice or the notice was unintelligible.


Frequently Asked Questions

Q: Our marathon has 5,000 participants. Do we need to provide the Section 5 notice to each person individually?

A: Yes. Section 5 mandates the notice “at the time of seeking consent.” For a 5,000-person marathon, best practice is to embed the notice on your online registration form (participants must acknowledge it before submitting their entry) and print it on paper waivers for on-site registrations. Every participant must see the notice before you collect their data. Providing it to 1,000 participants but not 4,000 others is non-compliance.

Q: Can we simply link participants to our privacy policy instead of writing a separate Section 5 notice?

A: No. A privacy policy is a general governance document; a Section 5 notice is event-specific and itemised. Section 5 requires you to disclose the exact purpose, exact data categories, exact recipients, and exact rights for this marathon. A link to an 8,000-word privacy policy does not satisfy Section 5. Provide a clear, standalone Section 5 notice—preferably one page or less—that data subjects can read and understand before consenting.

Q: Our timing partner collects GPS location data from participants’ smartwatches during the race. Are we responsible for disclosing this in the Section 5 notice, or is the timing vendor responsible?

A: You (the marathon organiser) are responsible. You are the Data Fiduciary who decided to collect GPS data; the timing vendor is your Data Processor. Your Section 5 notice must itemise: “GPS location data will be collected throughout the race via [Vendor Name]‘s timing system, processed to calculate splits and official times, and retained for [duration].” If the vendor also retains anonymised analytics or uses the data for their own purposes, disclose that too.

Q: We are a small 10 km running club event with only 150 participants. Do Section 5 rules still apply?

A: Yes, absolutely. The DPDPA applies to all data processing in India regardless of the scale of the event or organisation. A small running club collecting even 50 names and phone numbers is a Data Fiduciary and must provide a Section 5 consent notice before collecting data. Non-compliance carries the same penalty exposure (up to ₹150 crore) as a large marathon. Scale is not an exemption.

Q: What language should the Section 5 notice be in if our marathon attracts participants from across India?

A: English is compliant for a national or multi-state marathon, as it is an Eighth Schedule language and widely understood among educated participants. If the majority of your runners are from one state or region (e.g., Tamil Nadu or Maharashtra), add the regional language (Tamil, Marathi, etc.) to the online registration form—this shows care and ensures non-English speakers can give truly informed consent. You may provide the notice in multiple languages; one official Indian language is the minimum requirement.

Section 5 DPDPA consent noticesports event data compliance Indiamarathon organizer privacy noticeDPDPA data fiduciary glossarysports event notice requirementsconsent disclosure Section 5 sportsSection 5 itemised disclosure sports
VERIFIED DPDPAReady Editorial Desk 8 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →