✓ Link copied
DPDPA 2023 Compliance

Marathon Data Under DPDPA Section 7: 6 Legitimate Uses for 10,000+ Runners

Applies toMarathon and sports event organizers in India processing 500+ participant registrations annually
Primary lawDPDPA 2023 · Section 7
Penalty ceilingup to ₹150 crore
Enforcement statusData Protection Board accepting complaints — 2026-08
SourceDPDPAReady Compliance Team

Understanding DPDPA Section 7 for Marathon Organizers

Marathon organizers in India collect thousands of participant records yearly—registration data, health information, emergency contacts, payment details. DPDPA Section 7 is the legal foundation that permits most of this processing without requiring separate consent. But only if it falls within one of six defined legitimate-use categories. Unlike GDPR’s open-ended “legitimate interest” test, Section 7 is a closed list: processing outside these grounds requires explicit consent, or you face penalties up to ₹150 crore.

This glossary defines the six legitimate-use categories and shows how each applies to your marathon operations.

Key Terms & Legitimate Uses Under Section 7

Voluntarily Provided Data (First Legitimate Use)

Definition: Personal data that a data subject freely provides to you as part of a transaction or service enrollment—not in response to legal obligation or duress.

In Marathon Context: When a runner registers for a 42-km marathon online, they voluntarily submit:

  • Name, age, and contact phone number
  • Medical conditions (asthma, diabetes, allergies)
  • Emergency contact name and number
  • T-shirt size, bib number
  • Payment information (credit card for entry fee)

All of this qualifies as “voluntarily provided data” under Section 7, even if your registration form does not include a separate DPDPA consent checkbox. The act of filling out the registration form itself is the voluntary provision. You do not need a second “I consent to data processing” statement for these core fields—they are legitimate uses by nature.

Important boundary: If you later want to use a runner’s email to send marketing newsletters unrelated to the race, that is not covered by Section 7’s voluntary-provision ground. Marketing requires separate consent or another legitimate use.

Employment Data Processing (Second Legitimate Use)

Definition: Processing personal data of your employees, contractors, and authorized volunteers strictly for employment-related purposes—recruitment, payroll, performance management, compliance with labor law.

In Marathon Context: Your marathon event has a small staff:

  • Race director, medical officer, security coordinator
  • Volunteer runners (bib checkers, water station staff, finisher logistics)
  • On-call contractors (ambulance services, equipment rentals)

Section 7 permits processing their:

  • Identity documents (for background checks)
  • Bank account information (for volunteer stipends or contractor payments)
  • Mobile numbers (for shift schedules and emergency calls during the race)
  • Health declarations (to assign them to appropriate roles—no one with a heart condition at the 35-km heat station)

You do not need separate consent from staff or volunteers to process this employment-related data, because Section 7 lists employment purposes as a legitimate use. However, this ground only covers data necessary for the employment relationship—you cannot use an ambulance contractor’s personal phone number to send them unrelated advertisements.

Medical Emergency Processing (Third Legitimate Use)

Definition: Processing personal data (especially health or sensitive data) when necessary to protect the life or physical integrity of a person in an emergency situation.

In Marathon Context: During a 42-km event, runners face heat exhaustion, dehydration, muscle cramps, and in rare cases cardiac events. Section 7 explicitly permits your medical team to:

  • Access a collapsed runner’s pre-registered health form (which states they are diabetic or on blood thinners)
  • Contact their emergency contact immediately
  • Share medical history with the ambulance crew attending them
  • Record their condition in real-time for hospital handoff (without a “medical consent form” because emergency protection overrides standard consent)

This is one of the strongest grounds in Section 7—emergency protection supersedes consent withdrawal. If a runner previously requested deletion of their medical data but collapses on the track, you must and may access that data to save their life.

Boundary: Once the emergency ends (runner is discharged from hospital), this ground expires. Ongoing treatment data processing reverts to standard consent requirements unless another Section 7 ground applies.

Compliance with Law or Court Order (Fourth Legitimate Use)

Definition: Processing required to meet a legal obligation imposed by statute, court order, or regulatory body—police investigation, tax authority, sports regulator, or insurance compliance.

In Marathon Context: Your marathon operates under several legal obligations:

  • Municipal sports permit: Local authorities mandate you collect runner names and age for crowd-size verification and safety planning. Section 7 permits this processing without separate runner consent because you are complying with the permit condition.
  • Insurance requirements: Your event liability insurer requires you to maintain records of all participants, their pre-existing conditions, and incidents (falls, medical interventions). Processing this data is compliant with Section 7 because it fulfills the insurance contract’s legal requirement.
  • Police investigation: A runner reports a theft during the race. Police issue a notice requiring you to share the runner’s photo, bib number, and route-checkpoint times. Section 7 permits this without the runner’s consent because it is a court/law enforcement order.
  • GST/income tax compliance: Tax authorities ask for event revenue and participant count. You may provide anonymized or aggregated data under this ground.

Boundary: Compliance processing must be proportionate to the legal requirement—you cannot collect more data than the regulation demands, and you must stop once the legal requirement ends.

Mergers, Acquisitions, or Business Restructuring (Fifth Legitimate Use)

Definition: Processing personal data when a business that holds it is merged, acquired, or restructured—the data transfers to the new entity or owner as part of the business asset.

In Marathon Context: Suppose your organization, “Delhi Marathon Collective,” is acquired by a larger sports event company, “Pan-India Sports Holdings.” Section 7 permits the transfer of all 10,000 runner records (names, emails, medical data, payment info) to the new owner without individual runner consent, because the data is being processed in the context of a legitimate business restructuring.

Critical caveat: Section 7 permits the transfer, but the new owner must still comply with all other DPDPA duties (privacy notice, erasure requests, security). And you must inform runners of the transfer within 72 hours—failure to notify is a separate violation (Section 5, notice failure, up to ₹150 crore penalty). But consent from runners is not required for the transfer itself.

State Functions (Sixth Legitimate Use)

Definition: Processing data when required for functions of the State, public authority, or entity acting on behalf of the State.

In Marathon Context: This ground rarely applies to private marathons, but examples include:

  • A government-sponsored “National Fitness Marathon” run by the Sports Ministry: they can process runner data for sports statistics without consent because it is a State function.
  • A municipal sports department organizing a public race: they can collect participant data for government health/fitness tracking.

Most private commercial marathons do not qualify for this ground. Use the other five first.


Why Section 7 Matters: The Closed-List Constraint

GDPR (Europe) gives companies an open-ended “legitimate interest” balancing test: if your interest in processing outweighs the runner’s privacy, processing may be lawful even without consent. You argue; a regulator reviews.

DPDPA Section 7 is stricter. It lists exactly six legitimate uses. If your processing does not fit one of them, it is unlawful—no balancing, no argument. This is why careful categorization (is this voluntary data, or employment data, or compliance?) is essential.

A marathon organizer’s checklist:

  • ✅ Runner registration fields (name, age, contact) → voluntarily provided
  • ✅ Volunteer staff payment details → employment data
  • ✅ Accessing medical data when runner collapses → medical emergency
  • ✅ Sharing runner count with municipal authorities per permit → compliance with law
  • ✅ Transferring runner database to event acquirer → M&A restructuring
  • ❌ Selling runner emails to sports-apparel companies for ads → not any Section 7 ground (requires explicit consent)
  • ❌ Using runner health data to build a fitness algorithm for resale → not covered (requires consent)

Section 7 in Practice: Three Scenarios

Scenario 1: Pre-Race Medical Questionnaire Your registration form asks runners, “Do you have asthma? Diabetes? Heart condition?” Runners fill this in. You store it without a separate “I consent to medical data processing” checkbox. Is this lawful?

  • Answer: Yes. The medical data is voluntarily provided (Legitimate Use #1) and is also necessary for medical emergency response (Legitimate Use #3). No additional consent needed.

Scenario 2: Volunteer Coordinator’s Spreadsheet Your volunteer coordinator maintains a list of 50 volunteer runners: names, mobile numbers, and assigned roles (hydration station, bib checkpoint, finisher line). She never asked them to sign a data-processing consent form. Lawful?

  • Answer: Yes. Volunteer contact data falls under employment data processing (Legitimate Use #2). Volunteers are engaged in the event’s delivery, so their operational data is legitimate under Section 7.

Scenario 3: Post-Race Marketing Email Two weeks after the marathon, you email all 10,000 runners: “Join our fitness coaching membership—20% off for past racers!” No runners opted into a mailing list. Lawful?

  • Answer: No. Marketing is not covered by any Section 7 legitimate use. Runners voluntarily provided data for race operations, not for future marketing. You must either obtain separate consent or stop sending these emails. Continuing without consent violates Section 7 (processing outside legitimate uses) and may trigger a ₹150 crore penalty for misapplied legitimate-use grounds.

Practical Compliance Steps

  1. Audit your data flows. For every piece of runner, volunteer, or staff data you collect, name which Section 7 ground justifies it. If you cannot name one, you need explicit consent.

  2. Document the grounds. Maintain a data-processing register (required under Section 4 of DPDPA) that records:

    • Data category (name, age, health, payment)
    • Section 7 legitimate use (voluntarily provided, employment, emergency, compliance, M&A, or State function)
    • Retention period (delete once the ground no longer applies)
  3. Train your team. Ambulance crews, volunteer coordinators, and staff must understand that accessing runner medical data during the race is lawful under emergency grounds (Legitimate Use #3), but accessing it for curiosity or non-emergency purposes is not.

  4. Separate consent from registration. Your online form can use Section 7 to collect core race data (name, bib, phone) without a “consent checkbox” for those fields. But if you want to send newsletters, collect payment for future events, or share data with sponsors, add a separate optional checkbox for those uses—they are not covered by Section 7.

  5. Honor Section 7’s time limits. Data collected under “medical emergency” grounds must be deleted once the emergency has resolved and no ongoing treatment is needed. Data collected under “compliance with law” must be deleted once the legal obligation expires (e.g., insurance claim period ends).


Frequently Asked Questions

Q1: Can we collect a runner’s health data (allergies, cardiac history) at registration without an explicit consent form?

A: Yes, under Section 7. Health data provided voluntarily as part of race registration (Legitimate Use #1) is lawful. Additionally, storing it for potential medical emergencies during the race (Legitimate Use #3) is explicitly permitted. However, you must still comply with security obligations: encrypt the data, limit access to medical staff, and delete it after the race season ends or the runner requests erasure. The absence of a “consent” checkbox does not exempt you from security and erasure duties.

Q2: We share runner names and bib numbers with our race-day security contractor. Is that allowed under Section 7?

A: Yes, if the security contractor needs this data to perform their job (checking bibs at mile markers, identifying runners at finish line for safety). This falls under Section 7’s employment/contractor processing ground (Legitimate Use #2). However, your contractor must sign a data-processing agreement and only use the data for race-day security—not for any other purpose. If the contractor later uses runner data for their own marketing, that is their violation, but you may still be liable for not ensuring proper safeguards in the agreement.

Q3: A runner’s emergency contact is an ex-partner, and the runner asks us to delete that contact from our records. Can we refuse?

A: Not fully. Section 7 does not override erasure rights. Under Section 8 of DPDPA, runners can request erasure of their data (except where legal compliance requires retention). If a runner asks to remove their emergency contact, you must do so within 30 days. However, if the runner subsequently collapses and cannot provide medical information, emergency services may not be able to reach anyone—explain this trade-off to the runner, but honor their erasure request. After the race, retain the emergency contact only if you have a separate legitimate-use ground (e.g., insurance requires it for 12 months for liability); otherwise, delete it.

Q4: Can we process volunteer health data (to assign them to roles) under Section 7, or must we get consent?

A: Section 7 permits it under the employment-data processing ground (Legitimate Use #2). If a volunteer has a medical condition (pregnancy, back issues), you can store that information to assign them to appropriate tasks (no heavy lifting, no extreme heat exposure). You do not need a separate consent form for this. However, you must inform volunteers that you are processing their health data and why (assignment to safe roles)—DPDPA requires transparency even when Section 7 applies.

Q5: We acquired a smaller marathon event and inherited their runner database of 5,000 emails. Can we use those emails to invite them to our future marathons without asking consent again?

A: The transfer of the database to you is permitted under Section 7’s M&A ground (Legitimate Use #5). However, using their emails for a new event or new purpose is different. Under Section 7, the original event collected their emails for that specific race. Your new event is a different purpose. You must notify them of the acquisition within 72 hours (Section 5 notice requirement) and then separately ask for consent to invite them to future events, or ensure your future event communications fall within their original voluntary consent scope. If their original registration merely said “get event updates,” future events may be covered; if it was narrowly scoped to one race, you need fresh consent. Document the original consent scope carefully to avoid a Section 8 erasure claim later.

DPDPA Section 7 legitimate usesmarathon participant data processing Indiasports event runner consent exemptionmarathon organizer DPDPA complianceIndian sports events participant datarace event health data without consentsection 7 DPDPA marathon organizers
VERIFIED DPDPAReady Editorial Desk 16 AUG 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →