Collection Limitation
Plain English Translation
Under RA 10173, personal data may only be collected for a declared, specific, and legitimate purpose — and only the minimum data necessary to achieve that purpose may be gathered. Collection must be done lawfully and fairly; data that is excessive, irrelevant, or incompatible with the declared purpose must not be retained. This collection limitation principle ensures data subjects are not exposed to unnecessary privacy risk from over-collection.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Audit all public-facing web forms and remove optional or unnecessary data fields to enforce data minimization.
Required Actions (scaleup)
- Implement a formal data mapping process to document the specific legitimate purpose for every data category in the RoPA.
Required Actions (enterprise)
- Integrate automated data minimization checks into the CI/CD pipeline, requiring privacy team sign-off before new data fields can be added to application databases.
Under RA 10173, collection limitation dictates that organizations must collect personal data only for a declared, specified, and legitimate purpose, and the data must not be excessive.
It means the organization must explicitly state the exact, lawful reason for collecting the data prior to gathering it, and this reason must not be contrary to law, morals, or public policy.
An organization is strictly limited to collecting only the minimum amount of personal data that is adequate, relevant, and not excessive in relation to the declared purpose.
The proportionality principle requires that the processing of personal information must be strictly necessary and not excessive for achieving the declared purpose, effectively mandating data minimization.
Companies prove this by maintaining an updated Record of Processing Activities (RoPA), conducting Privacy Impact Assessments, and regularly auditing forms to ensure every field has a justified business need.
Requirements include having a lawful basis (such as consent), declaring a specific legitimate purpose beforehand, and ensuring the collected data is strictly necessary and proportional to that purpose.
Generally, yes. Section 19(a) requires consent that is time-bound and may be withdrawn, unless the Act provides an alternative lawful basis for the specific collection.
A privacy notice must clearly and simply explain exactly what data is being collected, why it is necessary for the service, how it will be processed, and the retention period.
Purpose limitation restricts data collection to a specific, declared reason, while data minimization ensures only the absolute minimum amount of data is gathered to achieve that exact reason.
Auditors review public privacy notices, data flow diagrams, the centralized Record of Processing Activities, consent logs, and evidence of minimization reviews in system design.
Purpose Limitation becomes difficult when teams collect data through forms, APIs, SaaS tools, and internal workflows without one centralized view. WatchDog Security's Compliance Center can help map evidence, privacy reviews, and control ownership so teams can demonstrate that each collected data element is tied to a declared, specified, and legitimate purpose.
Organizations first need visibility into the systems, SaaS applications, identities, and data intake points that may collect or store personal information. WatchDog Security's Asset Inventory can help maintain an inventory of cloud assets, SaaS tools, and identity mappings so privacy teams can prioritize reviews of systems most likely to collect personal data.
"Collection must be for a specified and legitimate purpose... Personal data to be collected shall only be that which is necessary and compatible with declared, specified and legitimate purpose."
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-05-06 | Compliance Content Specialist | Initial publication |

