Generally, no. An online lender may collect a selfie, ID image, or payment screenshot for a legitimate purpose such as identity verification, fraud prevention, or payment confirmation. But it cannot post, send, edit, or threaten to release your photo to embarrass you into paying. Philippine privacy rules expressly state that a borrower’s photo must never be used to harass or shame the borrower during collection—even when the loan is already overdue. The government’s 2026 advisory on online lending platforms reiterates that public shaming, intimidation, and unlawful use of personal data are prohibited.

The legality of the debt and the legality of the collection method are separate issues. A lender may demand payment, send reasonable reminders, negotiate a restructuring arrangement, or file a proper civil case. It may not weaponize your photos, government IDs, contact list, or private loan information.

What Counts as “Leaking” a Borrower’s Photos?

A photo is “leaked” when it is disclosed, published, or sent to someone who has no lawful reason to receive it. The disclosure does not have to reach thousands of people. Sending your photo and loan information to one employer, relative, friend, group chat, or social media page may already constitute unauthorized processing or disclosure.

Common examples include:

Posting your selfie on Facebook, TikTok, Messenger groups, or “scammer” pages
Sending your photo to relatives, co-workers, clients, church members, or neighbors
Creating a “wanted,” “magnanakaw,” “estafa,” or “online scammer” poster
Editing your photo into an insulting, obscene, or humiliating image
Publishing your ID, address, phone number, loan balance, or payment history
Threatening to send your photos to everyone in your phonebook unless you pay
Using a photo taken for know-your-customer or KYC verification as collection material
Continuing to browse or copy images from your gallery after identity verification is complete

A threat to leak your photo is important evidence even if the agent has not yet carried it out. SEC rules prohibit threats to take action that cannot legally be taken, while the 2026 joint advisory treats threats, harassment, and processing that harms a person’s reputation as unfair collection conduct.

Lawful use compared with unlawful use

Use of your photo or data	Likely legal position
Taking a selfie during KYC verification	Generally permitted when necessary, disclosed, and proportionate
Reviewing an ID to verify identity	Generally permitted, subject to security and retention rules
Sharing data with an authorized service provider solely to process the loan	May be permitted if proper safeguards and confidentiality are maintained
Providing information pursuant to a valid court or government order	May be permitted or required by law
Posting a borrower’s photo to shame them	Prohibited
Sending the photo and debt details to friends or an employer	Generally prohibited unless the recipient is a properly designated and consenting guarantor or another lawful exception applies
Turning a selfie into a “scammer” poster	Likely unauthorized and potentially defamatory
Threatening publication unless immediate payment is made	Unfair collection conduct and potentially evidence of another offense
Keeping unrestricted gallery or contact access after its purpose is completed	Contrary to NPC rules on necessity and proportionality

The NPC’s amended loan-data rules allow camera or photo-gallery access only at the appropriate stage for KYC, fraud prevention, payment verification, or a similar legitimate purpose. Once that purpose has been completed, access must be disabled or the borrower must be prompted to revoke it. The circular states unequivocally that a borrower’s photo cannot be used to harass or embarrass the borrower in collecting a delinquent loan.

App Permission Is Not Permission to Shame You

Many borrowers believe they lost their privacy rights because they clicked “Allow,” accepted a privacy notice, or uploaded a selfie. That is incorrect.

Under Section 3 of the Data Privacy Act of 2012, Republic Act No. 10173, consent must be freely given, specific, and informed. A lender cannot ordinarily convert permission given for identity verification into permission to publish the same photo for debt collection. Processing must also comply with the principles of transparency, legitimate purpose, and proportionality. (National Privacy Commission)

A broad statement hidden in lengthy terms and conditions is not necessarily a valid authorization for every possible use. The 2026 joint advisory specifically warns against deceptive interfaces such as pre-ticked boxes, designs that make consent easy to give but difficult to withdraw, and screens that obscure the privacy-protective option. Such practices may undermine or invalidate consent.

The same principle applies when your photo was publicly visible on your Facebook profile. Public availability does not give a lender unlimited permission to copy the image, combine it with your debt information, and republish it to humiliate you. That is a new act of processing requiring its own lawful basis.

Your Rights Under the Data Privacy Act

An identifiable photograph is personal information. A government ID may also contain sensitive personal information, including government-issued identifiers and information about age, marital status, or alleged offenses.

As the “data subject”—the person whose data is being processed—you may exercise rights under Section 16 of RA 10173, including the right to:

Know what personal information the lender collected
Know the purpose, manner, and scope of the processing
Ask where the information came from
Request the names or categories of persons who received it
Access copies of personal information being processed
Correct inaccurate or misleading information
Seek blocking, removal, or destruction of information that was unlawfully obtained, used for an unauthorized purpose, or is no longer necessary
Seek indemnification for damage caused by unlawful or unauthorized processing

A lender may retain some information when retention is required by law, necessary to establish or defend a legal claim, or reasonably connected with an outstanding contract. That does not authorize continued publication, harassment, or unnecessary access to your gallery and contacts. (National Privacy Commission)

Possible Data Privacy Act violations

Depending on the evidence, leaking a borrower’s photo may be evaluated under several provisions:

DPA provision	Conduct it may cover
Section 25 — Unauthorized processing	Collecting, using, or processing the photo without consent or another lawful basis
Section 28 — Processing for unauthorized purposes	Reusing a KYC photo for shaming, threats, or collection posters
Section 31 — Malicious disclosure	An officer, employee, or agent disclosing unwarranted or false information with malice or bad faith
Section 32 — Unauthorized disclosure	Giving personal or sensitive personal information to an unauthorized third party

For example, unauthorized processing of ordinary personal information under Section 25 carries imprisonment of one to three years and a fine of ₱500,000 to ₱2 million. Higher penalties apply when sensitive personal information is involved. Criminal liability is not automatic merely because a screenshot exists; investigators and prosecutors must determine the applicable offense, identify the responsible persons, and establish the required elements with evidence. (National Privacy Commission)

The National Privacy Commission has previously recommended prosecution of an online lending company whose agents accessed borrowers’ contacts, communicated false or unwarranted information to relatives and co-workers, and used personal information for harassment and public shaming. The case demonstrates that using an outsourced agent or separate collection team does not place the lender beyond privacy enforcement. (National Privacy Commission)

Special Privacy Rules for Online Lending Apps

NPC Circular No. 20-01, as amended by NPC Circular No. 2022-02, establishes rules specifically for loan-related transactions.

Contact-list access is strictly limited

An online lending app cannot freely harvest your entire phonebook. Access must be necessary, limited, and proportionate. Unrestrained processing that leads to harassment, unfair collection, or collection from persons other than the borrower’s guarantor is prohibited.

A character reference is not automatically a guarantor

This distinction is frequently abused.

A character reference is provided to help verify a borrower’s identity or the truthfulness of an application. A guarantor is a person who expressly agrees to answer for the debt if the borrower defaults.

Merely being listed as a reference—or appearing in the borrower’s contact list—does not make someone responsible for the loan. Online lending platforms must use separate interfaces for character references and guarantors. A person must expressly consent to becoming a guarantor before being bound. The current government advisory says collection contact may be directed only to the properly designated guarantor, not indiscriminately to people in the borrower’s phonebook.

SEC Rules Against Public Shaming and Abusive Collection

SEC Memorandum Circular No. 18, series of 2019 prohibits financing and lending companies—and collection service providers hired by them—from engaging in unfair debt collection practices.

Prohibited conduct includes:

Threats of violence or other criminal means
Threats to take action that cannot legally be taken
Obscene, insulting, or profane language amounting to abuse
Publication of the names and personal information of alleged nonpaying borrowers
Communicating false loan information to another person
Deceptive collection methods
Contacting persons in the borrower’s contact list outside permitted exceptions

A lender may disclose limited information to a properly authorized collection agency or service provider to perform legitimate collection work. But that agency remains bound by confidentiality, privacy, and fair-collection rules. SEC Memorandum Circular No. 18 expressly provides that ultimate responsibility for outsourced collection practices remains with the financing or lending company.

Republic Act No. 11765, or the Financial Products and Services Consumer Protection Act of 2022, separately prohibits financial service providers from employing abusive collection or debt-recovery practices against financial consumers. (Lawphil)

These rules apply alongside the Data Privacy Act. One incident may therefore result in an SEC regulatory complaint, an NPC privacy complaint, and—where threats, fraud, or other crimes are involved—a law-enforcement investigation.

Civil Remedies for Humiliation, Distress, and Reputational Harm

The Civil Code of the Philippines, Republic Act No. 386, may support a civil claim against the responsible company or individuals.

Relevant provisions include:

Article 19: Everyone must act with justice, give others their due, and observe honesty and good faith.
Article 20: A person who willfully or negligently causes damage contrary to law must indemnify the injured person.
Article 21: A person who willfully causes injury in a manner contrary to morals, good customs, or public policy must compensate the victim.
Article 26: Courts may grant relief when conduct disturbs another person’s privacy, dignity, personality, or peace of mind.
Articles 2217 and 2219: Moral damages may be awarded in proper cases for mental anguish, wounded feelings, serious anxiety, social humiliation, or a besmirched reputation.

A civil case may seek damages and, depending on the facts, an order stopping further publication or requiring removal. The claimant still needs evidence of the wrongful conduct, the defendant’s participation, and the resulting injury. The amount of damages is determined by the court rather than automatically awarded for every privacy violation. (Lawphil)

False public accusations may also be evaluated for cyberlibel, while threats, identity misuse, or obscene edited images may involve other criminal laws. The precise offense depends on what was said, where it was published, who received it, and whether the responsible person can be identified.

What to Do Immediately After a Photo Leak or Threat

1. Preserve evidence before blocking anyone or requesting removal

Do not rely on one cropped screenshot. Collect evidence showing the complete context:

The agent’s phone number, username, profile, or email address
The lender’s and app’s names
The complete message, including the threat and payment demand
The date and time displayed on the device
The post’s URL, account name, audience, comments, reactions, and shares
The uncropped photo or poster that was distributed
Screen recordings showing how the post or conversation was accessed
Copies of SMS, Messenger, Viber, WhatsApp, Telegram, or email conversations
Call logs and recordings lawfully made by a participant in the conversation
Screenshots from recipients who received the material
The app’s permissions, privacy notice, app-store listing, and developer name
Your loan agreement, disclosure statement, payment history, and receipts

Save original files without editing them. Keep a simple evidence log stating who captured each item, on what date, using which device, and where it came from. A recipient who personally received the message may later be asked to authenticate the screenshot or execute an affidavit.

The current NPC Complaint-Affidavit warns that incomplete complaints and missing evidence may result in outright dismissal. Electronic evidence must be presented in a manner that permits its authenticity and source to be established.

2. Identify the company behind the app

The app’s brand name may be different from the lender’s registered corporate name. Check:

The loan agreement and disclosure statement
The privacy notice and data protection officer’s details
The app-store developer information
The name appearing in payment instructions
SEC registration and Certificate of Authority information
Official messages or receipts issued after disbursement

Include both the app name and corporate name in complaints when available. If the collector uses only an alias or disposable number, identify the loan account and company that assigned the collection.

3. Send a written demand to the lender and its data protection officer

A written notice is important because NPC procedure generally requires the complainant to first inform the company of the privacy violation and give it an opportunity to respond.

A concise notice may state:

I demand that your company and all collection agents immediately stop using, publishing, or disclosing my photographs, identification documents, loan information, and contact data for harassment or public shaming. Please remove all unauthorized posts, instruct recipients and processors to delete unlawful copies, identify the persons or entities to whom my data was disclosed, preserve all collection and access logs, and provide the contact details of your Data Protection Officer. Please respond in writing within fifteen days. This demand does not waive my rights or constitute a refusal to address any valid obligation through lawful channels.

Send it through an official email, in-app support channel, and any verifiable corporate address. Keep delivery receipts, ticket numbers, automated acknowledgments, and replies.

4. Secure your phone and accounts

After preserving evidence:

Revoke the app’s access to photos, camera, contacts, location, microphone, and storage.
Uninstall the app if it is no longer needed, but first save the agreement and account details.
Change passwords for email and social media accounts.
Enable two-factor authentication.
Review active sessions and sign out unfamiliar devices.
Warn close contacts not to click payment links or send money to personal e-wallet accounts.
Verify any settlement or payment instruction through the lender’s official channel.

Revoking permissions will not necessarily erase data already copied to the lender’s systems, which is why the written data request and complaint remain important.

5. Request platform removal after preserving evidence

Report the post to the social media platform under privacy, harassment, impersonation, or disclosure-of-personal-information categories. Ask recipients to delete forwarded copies, but preserve at least one authentic copy for evidence first.

Deletion by the agent does not erase the violation. Screenshots, recipient testimony, access logs, and the agent’s preceding threats may still establish what happened.

6. Address any valid debt separately

Continue communicating only through official channels. Request an updated statement of account and written breakdown of principal, interest, penalties, and payments. Do not send funds to an agent’s personal bank or e-wallet account without independent verification.

A privacy complaint does not automatically cancel a valid loan. Conversely, paying the loan does not erase an earlier privacy or collection violation.

Where to File a Complaint

Office or channel	Best used for	How to file
Lender’s customer service and Data Protection Officer	Immediate removal, preservation of logs, access request, and the written notice normally required before an NPC complaint	Use the official email, support ticket, and corporate address shown in the agreement or privacy notice
Securities and Exchange Commission — Financing and Lending Companies Department	Public shaming, threats, abusive collection, contact-list harassment, and violations by lending or financing companies	File through the SEC iMessage portal or call 1-4732
National Privacy Commission	Unauthorized collection, use, disclosure, retention, or sharing of photos and personal data	Follow the NPC formal complaint procedure
DICT Cyber Hotline	Online harassment, threats, fraud, or cyber incidents	Email `1326@dict.gov.ph`
NBI Cybercrime Division	Serious threats, fraudulent accounts, identity misuse, or possible cybercrime	Email `ccd@nbi.gov.ph` or call (02) 8523-8231 to 38
PNP Anti-Cybercrime Group	Threats, cyber-harassment, impersonation, and other possible criminal conduct	Email `acg@pnp.gov.ph` or `onlinecims.ocs@gmail.com`; telephone (02) 8723-0401 local 7491
Social media or messaging platform	Fast removal or restriction of the post or account	Use the platform’s privacy, harassment, or impersonation reporting process

The SEC, DICT, NPC, NBI, and PNP contact information above appears in the March 2026 joint government advisory.

How to File a Formal NPC Complaint

Send the company a written privacy notice or demand. Keep proof that it was received.
Allow an opportunity to respond. NPC rules generally require proof that the company failed to take timely and appropriate action or did not respond within 15 days.
Download the current form. Use the 2026 NPC Complaint-Affidavit, not an old form found in a social media post.
Identify the respondent. State the corporate name when known, app name, office address, email, collector numbers, and relevant account details.
List the affected data. This may include your selfie, ID, address, contact list, employer, loan balance, phone number, and messages.
Narrate events chronologically. Specify who said what, when the threat was made, when publication occurred, who received it, and what the company did after notice.
Attach all evidence. Number and label screenshots, recordings, links, correspondence, loan documents, and identification.
Disclose related cases. The form contains a verification and certification against forum shopping. State related SEC, police, prosecutor, or court filings rather than concealing them.
Have the affidavit notarized.
Submit it in person, by courier, or by scanning and emailing it to complaints@privacy.gov.ph. Use the current address and filing instructions printed on the latest form. (National Privacy Commission)

Do not miss the NPC filing deadline

Under the NPC Rules of Procedure, a complaint generally must be filed within six months from the violation or 30 days from the last communication with the company, whichever is earlier. The “whichever is earlier” language means continuing to exchange messages should not be treated as permission to wait indefinitely.

The NPC may waive the prior-notice or timing requirements for good cause or when the complaint involves a serious violation and a significant risk of harm. In an ongoing leak, send the written demand immediately while also preserving evidence and reporting urgent threats.

NPC fees and practical timelines

Item	Current position
Basic NPC complaint filing fee	₱500
Claim for damages	Additional fees apply according to the amount claimed
Application for a cease-and-desist order	₱1,000, with a bond requirement under the current schedule
Indigent complainant	Fee exemption may be available upon submission of a barangay certificate of indigency and the required affidavits and supporting documents
Notarization	Cost varies depending on the notary or consular service
Agency resolution	No guaranteed quick completion; service of pleadings, evidence disputes, mediation, and identification of anonymous agents may cause proceedings to take months or longer

The applicable amounts appear in NPC Circular No. 2023-01 on fees and charges. Confirm the current amount and payment channel before submitting payment.

Common Situations and Practical Problems

The agent only threatened to post the photo

Preserve the threat. A message saying “Pay today or we will send your picture to all your contacts” can support an unfair-collection complaint even before publication. Report any credible threat of violence or immediate harm to law enforcement.

The borrower is genuinely overdue

Overdue status does not suspend privacy rights. The lender may collect through lawful means but cannot use public humiliation as a substitute for proper legal remedies.

The collector says the company is not responsible

That is generally inconsistent with SEC and privacy rules. An outsourced collector acts as the lender’s agent for collection purposes, and the lender remains accountable for the personal information it transferred and the collection practices performed on its behalf.

A relative was listed only as a character reference

The relative does not become a guarantor merely because their name or number was supplied. A guarantor must separately and expressly consent to assume that obligation. A person found in the phonebook is not automatically a reference, co-borrower, or guarantor.

The app is unregistered or no longer available

The March 2026 advisory applies to online lending platforms whether recorded or unrecorded. Report the app name, developer, download source, corporate details, payment account, website, and collector numbers. An unregistered operation may create additional SEC issues, but it does not by itself determine whether every underlying obligation is void.

The borrower is an OFW or foreign national

The Data Privacy Act can apply to processing performed in the Philippines and to covered entities with a Philippine office, branch, agency, or equipment, regardless of the complainant’s nationality in appropriate cases. Complaints may be submitted electronically or by courier.

An affidavit executed abroad must still satisfy authentication requirements. Depending on the country and the receiving office’s instructions, it may be notarized through a Philippine embassy or consulate, or notarized locally and apostilled. Confirm the required format with the NPC before executing the affidavit abroad. Philippine consular officers provide notarial services for documents intended for use in the Philippines. (National Privacy Commission)

Frequently Asked Questions

Can an online lending app post my selfie on Facebook or TikTok?

Not for public shaming or debt-collection pressure. A selfie obtained for KYC cannot lawfully be repurposed into a debtor poster merely because the account is overdue.

Can a collector send my photo to my employer or family?

Generally, no. Sending your photo and loan information to unrelated third parties for embarrassment or pressure is prohibited. A properly designated guarantor may be contacted about the guaranteed obligation, but a family member or employer is not automatically a guarantor.

I allowed access to my gallery and contacts. Did I consent to publication?

No. Device permission authorizes access only within a specified, legitimate, and proportionate purpose. It is not blanket consent to copy, publish, or use your data for harassment.

Can the lender call me a scammer or threaten me with estafa?

Mere failure to pay a loan does not automatically amount to estafa or fraud. The Constitution prohibits imprisonment simply for debt, although a separate criminal case may exist when independent evidence establishes an actual offense. False threats of arrest or baseless criminal accusations may be unfair collection practices. (Lawphil)

Can the individual collection agent be held liable?

Potentially. The company may face administrative, civil, or criminal consequences, while the employee or agent who personally processed, disclosed, threatened, or published the data may also be investigated under the applicable law. Liability depends on their role and evidence of participation.

Can I demand deletion of all my information?

You may demand blocking, removal, or destruction of data used unlawfully, retained without necessity, or processed for an unauthorized purpose. The lender may retain records that it is legally required to keep or reasonably needs for a valid claim, but retention does not permit continued public disclosure.

Can I still complain if the post has already been deleted?

Yes. Deletion may reduce continuing harm but does not erase the previous disclosure. Preserve screenshots, links, recipient messages, threats, and witness information.

Does filing a privacy complaint erase my loan?

No. The debt and the privacy violation are separate. A valid debt may still be collected through lawful means, while the collector may still be answerable for unlawful disclosure.

What if I never borrowed and someone used my identity?

State in writing that the loan is disputed as identity theft. Demand the application records, device or account information, disbursement details, recipient account, and source of the identification documents. Secure your accounts and report the matter to the lender, NPC, and cybercrime authorities.

Key Takeaways

A lender may use your photo for legitimate verification, but not for public shaming, threats, or harassment.
Giving camera, gallery, or contact permission is not blanket consent to disclose your data.
Character references and phone contacts are not automatically guarantors.
Preserve complete evidence before requesting takedown or revoking permissions.
Send a written demand promptly, because NPC procedure has strict prior-notice and filing-deadline rules.
Unfair collection can be reported to the SEC, while unauthorized data processing can be reported to the NPC; serious threats and cybercrime concerns may also be reported to the DICT, NBI, or PNP.
A privacy complaint does not cancel a valid debt, and an unpaid debt does not authorize humiliation or unlawful disclosure.