Collection Limitation

Plain English Translation

Under RA 10173, personal data may only be collected for a declared, specific, and legitimate purpose — and only the minimum data necessary to achieve that purpose may be gathered. Collection must be done lawfully and fairly; data that is excessive, irrelevant, or incompatible with the declared purpose must not be retained. This collection limitation principle ensures data subjects are not exposed to unnecessary privacy risk from over-collection.

Executive Takeaway

Organizations must limit data collection to only what is strictly necessary and relevant for a clearly declared, legitimate business purpose.

ImpactHigh
ComplexityMedium

Why This Matters

  • Reduces regulatory risk and potential fines under the Philippines Data Privacy Act by adhering to data minimization mandates.
  • Minimizes the blast radius and potential damages in the event of a security breach by limiting stored data.
  • Enhances customer trust by demonstrating respect for privacy boundaries and avoiding invasive data collection.

What “Good” Looks Like

  • Data collection forms and APIs only request fields strictly necessary for the service, with periodic reviews supported by tools like WatchDog Security's Compliance Center to track evidence and control ownership.
  • Privacy Impact Assessments rigorously challenge the business justification for every collected data point, while tools like WatchDog Security's Asset Inventory can help identify systems and SaaS tools that should be included in the review.
  • Privacy notices explicitly detail the legitimate purpose before any data is collected.

Put Philippines DPA (2012) compliance + 19 others on autopilot

Starting at $99/admin/mo — includes all frameworks, evidence automation, and AI-powered gap analysis.

Start Free Trial No credit card required

Under RA 10173, collection limitation dictates that organizations must collect personal data only for a declared, specified, and legitimate purpose, and the data must not be excessive.

It means the organization must explicitly state the exact, lawful reason for collecting the data prior to gathering it, and this reason must not be contrary to law, morals, or public policy.

An organization is strictly limited to collecting only the minimum amount of personal data that is adequate, relevant, and not excessive in relation to the declared purpose.

The proportionality principle requires that the processing of personal information must be strictly necessary and not excessive for achieving the declared purpose, effectively mandating data minimization.

Companies prove this by maintaining an updated Record of Processing Activities (RoPA), conducting Privacy Impact Assessments, and regularly auditing forms to ensure every field has a justified business need.

Requirements include having a lawful basis (such as consent), declaring a specific legitimate purpose beforehand, and ensuring the collected data is strictly necessary and proportional to that purpose.

Generally, yes. Section 19(a) requires consent that is time-bound and may be withdrawn, unless the Act provides an alternative lawful basis for the specific collection.

A privacy notice must clearly and simply explain exactly what data is being collected, why it is necessary for the service, how it will be processed, and the retention period.

Purpose limitation restricts data collection to a specific, declared reason, while data minimization ensures only the absolute minimum amount of data is gathered to achieve that exact reason.

Auditors review public privacy notices, data flow diagrams, the centralized Record of Processing Activities, consent logs, and evidence of minimization reviews in system design.

Purpose Limitation becomes difficult when teams collect data through forms, APIs, SaaS tools, and internal workflows without one centralized view. WatchDog Security's Compliance Center can help map evidence, privacy reviews, and control ownership so teams can demonstrate that each collected data element is tied to a declared, specified, and legitimate purpose.

Organizations first need visibility into the systems, SaaS applications, identities, and data intake points that may collect or store personal information. WatchDog Security's Asset Inventory can help maintain an inventory of cloud assets, SaaS tools, and identity mappings so privacy teams can prioritize reviews of systems most likely to collect personal data.

PHILIPPINES-DPA Rule IV, Section 19(a)

"Collection must be for a specified and legitimate purpose... Personal data to be collected shall only be that which is necessary and compatible with declared, specified and legitimate purpose."

PHILIPPINES-DPA Rule IV, Section 19(b)(4)

"Processed personal data should be adequate, relevant and not excessive in relation to the declared, specified and legitimate purpose."

VersionDateAuthorDescription
1.0.02026-05-06Compliance Content SpecialistInitial publication