Trade Show Attendee Data & Section 7: 5 Legitimate-Use Pathways Without Consent
| Applies to | Trade Show & Exhibition Organizers operating in India |
| Primary law | DPDPA 2023 · Section 7 |
| Penalty ceiling | up to ₹150 crore for misapplied Section 7 grounds |
| Enforcement status | Data Protection Board accepting complaints — 2026-08 |
| Source | DPDPAReady Compliance Team |
What Section 7 Allows (And What It Doesn’t) for Trade Show Data
Trade show organizers collect tens of thousands of personal data points at every event — attendee registrations, badge scans, email lists, contact information for follow-up. The question isn’t whether you collect data; it’s whether you have the right to process it, and under which legal ground.
Section 7 of the DPDPA 2023 defines a closed list of situations where you can process personal data without consent. This is critical for exhibitions: you can’t rely on broad “legitimate interest” tests like GDPR does. You must fit your processing into one of the Act’s six exhaustive categories, or you need explicit consent — with no middle ground.
The 5 Section 7 Legitimate Uses That Actually Apply to Trade Shows
The DPDPA Section 7 lists six grounds. For exhibitions, five are actionable:
| Legitimate Use | Definition | Trade Show Example | Does NOT Include |
|---|---|---|---|
| Voluntarily Provided Data | Data the individual actively submits without coercion. | Registration forms, badge sign-ups, exhibitor applications. | Scraped lists, inferred data, purchased third-party databases. |
| Employment | Processing data of employees, contractors, or job applicants. | Event staff payroll, security personnel rosters, volunteer management. | Processing attendee data because they might apply to your company later. |
| Contractual Obligations | Processing necessary to fulfill a contract with the data subject. | Ticket confirmations, pass logistics, exhibitor booth assignments. | ”Improvement of future events” without explicit contract language. |
| Compliance with Law | Processing mandated by statute, regulation, or court order. | Tax filings, statutory reporting if required by trade body. | Processing “just in case” a regulator asks. |
| Mergers & Acquisitions | Transferring attendee data if the trade show business is acquired. | Sale of exhibition IP including attendee lists to new organizers. | Selling attendee lists to unrelated third parties (that requires consent). |
The sixth ground — Medical Emergency — has no application for trade shows.
How GDPR’s “Legitimate Interest” Differs Radically from DPDPA’s Section 7
This distinction is not semantic; it is foundational and creates enforcement risk:
| Aspect | GDPR “Legitimate Interest” | DPDPA Section 7 |
|---|---|---|
| Legal Standard | Balancing test: Is the organization’s interest proportionate to individual harm? | Closed list: Does the processing fit one of six categories? No balancing. |
| Flexibility | Open-ended. Organizers can argue new grounds if the balance favors them. | Exhaustive. You are limited to the six grounds listed. No improvisation. |
| Burden of Proof | Org must document the balance; individuals can challenge via rights requests. | Org must document which ground applies. If not listed, no legal ground exists. |
| Risk Model | Auditable. Wrong balance = fine. Right balance = compliant. | Binary. Wrong category = violation. Right category = compliant. |
| Penalty for Misclassification | Fine for not conducting legitimate-interest assessment. | Fine for using wrong Section 7 ground; applies to all processing under that ground. |
Trade Show Implication: An exhibition organizer who claims “we use attendee emails to improve future events” and relies on something like GDPR’s legitimate interest will violate DPDPA Section 7 — because “continuous improvement” is not on the list. You must find a ground that actually fits: voluntarily provided (if they checked a box), contractual (if it’s in the T&Cs), or compliance with law (only if required by statute).
Real Trade Show Scenarios Under Section 7
Scenario 1: Attendee Registration List
An exhibition organizer collects attendee names, emails, and phone numbers via an online registration form. This is voluntarily provided data (Section 7). You can:
- Store the list for the event
- Send event logistics (venue, timing)
- Send post-event feedback surveys (part of event execution)
You cannot:
- Sell the list to unrelated third parties without consent
- Use it for marketing products unrelated to the event
- Forward it to exhibitors without a data-sharing clause in your T&Cs
Scenario 2: Exhibitor Booth Assignment & Logistics
You collect exhibitor company name, contact person, tax ID, and booth preferences. This is contractual (Section 7): you’re processing it to fulfill the booth rental contract. You can:
- Share booth assignments with venue operators
- Process payment information
- Handle logistics coordination
You cannot:
- Retain the data after the event if the contract doesn’t require it
- Share tax IDs with other exhibitors
- Use contact info for sales calls about next year’s event (that’s new marketing; you need consent or a separate Section 7 ground)
Scenario 3: Event Staff Payroll
Hourly workers, security contractors, and volunteers provide their bank details, attendance records, and tax information. This is employment data (Section 7). You can:
- Process for payroll
- Handle statutory filings (PF, tax)
- Manage scheduling and attendance
You cannot:
- Retain the data longer than employment plus statutory hold periods plus reasonable wind-down
- Use it to profile attendees based on staff-volunteer crossover
- Share it with next year’s event team without re-establishing a Section 7 ground
Common Mistakes Trade Shows Make Under Section 7
Mistake 1: “Voluntarily Provided” Doesn’t Mean “Without a Boundary”
Many organizers believe that once data is voluntarily provided, they can use it for anything. DPDPA Section 7 applies only to data actively and knowingly submitted. It does NOT grant unlimited use rights. You still need a contractual, legal, or other ground for each separate use.
Correct approach: Separate voluntarily provided data (registration) from uses that need their own Section 7 ground (staff rosters, vendor payments).
Mistake 2: Confusing “Employment” with “Attendee Profiling”
Some organizers collect employment titles, company names, and job roles from attendee forms, then use this data to segment attendees for targeted communications. This is NOT employment processing — it’s attendee profiling based on occupation. It requires either consent or a contractual ground (if T&Cs say “we segment by industry for better recommendations”).
Correct approach: If segmentation is in your T&Cs and part of the event value, it’s contractual. If it’s not disclosed, you need consent.
Mistake 3: Retroactive Contracting
An organizer collects data under “voluntarily provided” (no fine print), then later claims the use was contractual because “it’s implied in event participation.” Section 7 grounds must be present and disclosed at collection time — not retrofitted after collection.
Correct approach: State in your privacy notice and T&Cs exactly what you’ll do with each data type and under which Section 7 ground. Collect consent for uses outside those grounds.
Mistake 4: Mergers & Acquisitions Without Disclosure
If your trade show business is acquired, Section 7 allows attendee data to transfer. But it does NOT require you to announce this to attendees, nor does it waive their rights. New organizers are bound by the original processing grounds unless they change the use.
Correct approach: In your privacy notice, disclose that your business may be acquired and attendee data may transfer. If the new organizer wants to use data for different purposes, they need new consent or a Section 7 ground.
Building a Section 7 Audit Trail for Trade Shows
Before the next event, create a data-processing matrix:
- List every data type collected (names, emails, phone, job titles, payment info, etc.)
- Identify the processing purpose (event execution, marketing, analytics, sponsorship, follow-up)
- Assign the Section 7 ground for each purpose (voluntarily provided, employment, contractual, legal, M&A)
- Document the proof: Where is this ground disclosed? (T&Cs, privacy notice, employment contract, subpoena)
- Review retention: How long do you keep each data type? When does retention stop?
If any processing has no Section 7 ground, you must either change the processing to fit a ground that applies, or collect explicit consent.
The Penalty for Misapplication
Section 7 violations fall under DPDPA Section 12 (erasure/rights failures) if you’re using the wrong ground and denying rights, or under DPDPA Section 5 (notice failure) if you don’t disclose the ground at collection.
Misapplication of a Section 7 ground — claiming contractual processing when the use isn’t in the contract, or saying data is “voluntarily provided” when it’s actually inferred — can attract penalties up to ₹150 crore depending on the severity and the volume of individuals affected. For a 10,000-attendee trade show where data is misclassified and misused across multiple grounds, the regulator’s calculation could easily reach the upper range.
Why Trade Shows Are High-Risk Under DPDPA
Exhibitions operate in a gray zone:
- High volume of data collection — thousands of individuals in a short window
- Multiple legitimate uses — marketing, logistics, analytics, sponsorship, follow-up
- Third-party involvement — venues, exhibitors, sponsors, contractors
- Retention ambiguity — many organizers keep attendee lists indefinitely for “future events”
- Cross-border risk — international exhibitions may involve overseas exhibitor or sponsor data flows
Each of these multiplies the risk of a Section 7 misapplication. A single wrong ground applied to thousands of attendees scales the violation.
Frequently Asked Questions
Q: Can I use Section 7 to process attendee data if they didn’t explicitly consent at registration?
A: Yes, if you fit your use into one of the six Section 7 grounds. For example, if attendees actively filled out a registration form (voluntarily provided) and your T&Cs state you’ll use email for event logistics (contractual), you do not need separate consent for those uses. But if you want to use the email for marketing unrelated to the event, you need consent or a different Section 7 ground.
Q: Our trade show was acquired by another company. Can we transfer attendee data to the new organizer under Section 7?
A: Yes, Section 7 (mergers & acquisitions) allows transfer of attendee data when the business is acquired. However, the new organizer must respect the original processing grounds — they cannot immediately start using the data for new purposes without consent or a Section 7 ground that applies to the new use. If your privacy notice disclosed that business acquisition was possible, you have stronger legal standing.
Q: Is “segmentation by job title for better recommendations” considered employment processing under Section 7?
A: No. Employment processing applies only to your own employees, contractors, or applicants. Segmenting attendee data by their job titles to tailor event content is attendee profiling, not employment. It’s legal only if: (1) it’s disclosed in your privacy notice and T&Cs as part of the event value (contractual, Section 7), or (2) the attendee consented specifically to this use, or (3) you have another applicable Section 7 ground. “Implied consent” does not satisfy DPDPA.
Q: If an exhibitor asks me to share attendee lists for their follow-up, does Section 7 allow it?
A: Only if your registration T&Cs explicitly state that attendee data will be shared with exhibitors, and attendees saw this disclosure at collection time. This is contractual processing (Section 7). If no such clause exists in your terms, sharing attendee lists to exhibitors without consent is a violation — your registration clause (“voluntarily provided”) does not extend to sharing with third parties. Some organizers solve this by asking attendees at registration: “May we share your details with exhibitors?” This gets explicit consent for that specific use.
Q: How long can we keep trade show attendee data under Section 7?
A: Retention is limited by the purpose. If you retain data under “voluntarily provided” for event logistics, keep it only as long as needed to execute the event (typically days to weeks). If you keep data under “contractual” (fulfilling booth rental), retention depends on the contract term plus any statutory hold (tax records, 7 years). If you retain data “just in case next year’s event needs it,” you have no Section 7 ground — that’s a new event with a new processing purpose that requires either consent or re-establishing a Section 7 ground at the time of the next event. Document your retention policy clearly and delete data once the ground’s purpose is served.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →