Credit App Harassment and Data Exposure: How to File a Complaint with the NPC and SEC

Last updated: 23 October 2025 (PH). This article is information, not legal advice.

Why this matters

Mobile “credit apps” and online lending platforms (OLPs) have made small loans easy to access—but some engage in abusive collection tactics: debt-shaming texts to your contacts, threats, nonstop calls, and unlawful harvesting of your phonebook or photos. In the Philippines, these practices can violate data privacy, consumer protection, and lending/financing regulations. Two regulators are central:

  • National Privacy Commission (NPC) — for Data Privacy Act of 2012 (DPA; R.A. 10173) violations (e.g., scraping your contacts, disclosing your debt to others, using data beyond what you consented to).
  • Securities and Exchange Commission (SEC) — for lending/financing violations, including unfair debt collection practices and unregistered/illegal lending.

This guide explains your rights and gives step-by-step filing instructions with both agencies—plus practical templates and evidence checklists.

Your legal protections at a glance

A. Data privacy (NPC; R.A. 10173)

The DPA protects “personal information” and “sensitive personal information.” Common violations by credit apps include:

  • Unauthorized processing/over-collection (e.g., forcing broad permissions to access contacts, photos, SMS not necessary for the service).

  • Processing for incompatible purposes (e.g., using your contact list to shame you into paying).

  • Unauthorized disclosure (e.g., texting your family, employer, or entire contact list about your loan).

  • Security breaches (e.g., leaking your data; storing without safeguards).

  • Failure to honor data subject rights:

    • Right to be informed (clear privacy notice and lawful basis)
    • Right to object/withdraw consent
    • Right to access and data portability
    • Right to rectification/erasure/blocking (“right to be forgotten”)

Potential outcomes: NPC may issue compliance or cease-and-desist orders, require deletion/blocking of unlawfully obtained data, mandate security measures, and (for serious violations) recommend criminal prosecution and administrative fines/penalties allowed by law and NPC rules.

B. Unfair debt collection & illegal lending (SEC)

Financing and lending companies fall under the SEC’s jurisdiction. Prohibited collection conduct typically includes:

  • Harassment and threats, use of obscene or profane language.
  • Public or third-party disclosure of debt (debt shaming) to contacts, co-workers, social media, or employers who are not guarantors or authorized representatives.
  • Contacting the debtor at unreasonable hours or at the workplace after being told not to.
  • False representations (e.g., pretending to be law enforcement, threatening arrest).
  • Operating without SEC registration or using unregistered online lending platforms.

Potential outcomes: SEC can fine, suspend/revoke licenses, order platforms taken down, and refer matters for criminal action under lending/financing laws and the Revised Corporation Code.

If the app is a bank/e-money issuer (EMI) or a loan from a bank, complaints go first to the BSP consumer assistance channel, not the SEC. You can still pursue NPC remedies for privacy violations.

Evidence to gather (do this first)

  1. Identity & account: government ID, screenshots of your account profile, loan agreement/receipts, app store page.
  2. Harassment log: dates/times of calls/texts/chats; phone numbers; call recordings (if lawful), voicemails.
  3. Debt-shaming proof: messages sent to your contacts; group chats; social media posts; emails to your employer.
  4. Data exposure: screenshots of permission requests; proof the app accessed your contacts/photos/SMS; privacy policy copies.
  5. Damages/impact: HR memos, written warnings, anxiety or medical consults, lost income claims (if any).
  6. Your demands: copies of your cease-and-desist or data rights requests sent to the company and their replies (or lack thereof).

Immediate safety/containment steps

  • Revoke permissions on your phone (Contacts/SMS/Storage/Photos) for the app; change passwords; enable 2FA.
  • Back up and then uninstall abusive apps (keep a copy of the APK version details or app store link as evidence).
  • Tell contacts that any harassing messages about you are part of a debt-shaming practice and not lawful.
  • If there are credible threats, extortion, or doxxing, report to PNP-ACG or NBI-CCD and your telco for number blocking.

Filing a Data Privacy complaint with the NPC

1) Write to the company’s Data Protection Officer (DPO)

Before going to the NPC, you’re expected to first raise the issue with the personal information controller (the lender/app). Send a formal data subject rights (DSR) request to the DPO:

  • Identify yourself and your account.
  • Object to further processing for debt-shaming; withdraw consent to access your contacts; demand erasure/blocking of unlawfully obtained data.
  • Ask for: the lawful basis for processing, the specific data they hold, sources, recipients of any disclosures, retention periods, and security measures.
  • Give a deadline (e.g., 10–15 calendar days) to respond.

Keep proof you sent this (email headers, courier receipts). If there’s no DPO listed, send to their official support and corporate address—and note the absence of a DPO in your complaint.

Template: DSR + Cease & Desist (short form)

Subject: Exercise of Data Subject Rights; Cease & Desist from Unlawful Processing I am [Name], user [Account/Loan #]. I object to your continued processing of my personal data for debt collection that involves contacting third parties and accessing my contacts. I withdraw any consent previously given for such access. I demand erasure/blocking of data sourced from my device contacts/SMS/photos and cessation of third-party disclosures. Please provide within 10 days: (1) your lawful basis for processing; (2) all personal data you hold about me; (3) recipients of any disclosures (dates/method); (4) data sources; (5) retention; and (6) security measures. Failure to comply will prompt a complaint with the NPC and other authorities.

2) Prepare your NPC complaint packet

  • Verified complaint (statement of facts, violations under the DPA, and reliefs sought).

  • Annexes: ID, proof you contacted the DPO and their reply or non-reply, screenshots/recordings, privacy policy copy, timeline of events, and witness statements (if any).

  • Reliefs you can request:

    • Order to cease harassing communications and stop contacting third parties.
    • Erasure/blocking of unlawfully obtained data and proof of deletion.
    • Direction to implement security and privacy controls and to notify affected third parties of corrective action.
    • Administrative sanctions as appropriate.

Filing channels change from time to time. NPC typically accepts electronic filings through its portal or designated email and may schedule mediation or proceed to summary proceedings. Keep your phone/email open for notices.

3) After filing

  • Docketing & evaluation: NPC may ask for clarifications or additional evidence.
  • Mediation (often first step): aim is immediate cessation, deletion of data, and commitments in writing.
  • Formal resolution: NPC can issue a decision, compliance order, or refer for prosecution/fines where warranted.
  • Enforcement: Disobeying an NPC order can lead to further penalties and court action.

Filing an Unfair Debt Collection / Illegal Lending complaint with the SEC

1) Identify the entity type

  • SEC-registered lending/financing company or OLP → SEC has jurisdiction.
  • Bank/EMI (e.g., bank-issued credit) → go to BSP consumer assistance (still file with NPC if privacy was violated).
  • Unregistered “loan shark” app → report to SEC (illegal lending) and law enforcement.

2) Prepare your SEC complaint

  • Narrative: who they are, how you downloaded, loan terms, due dates, what harassment occurred (dates, channels).
  • Alleged violations: operating without registration; using unfair debt collection (harassment, threats, shaming, contacting third parties), false representations, unreasonable call times.
  • Evidence: same artifacts as for NPC, plus SEC registration details if you have them (or note “unknown/unverified”).
  • Reliefs sought: take down the OLP, suspend/revoke license, impose fines, order compliance and public notice, and refer criminally if needed.

3) Where and how to file

  • SEC complaint/e-forms (online or by email to enforcement/investor protection units) vary; provide a working phone/email for follow-ups.
  • You may be asked for notarized statements/affidavits and to certify that your submissions are true and correct.

4) After filing

  • SEC may issue a show-cause order, cease-and-desist against the platform, or recommend criminal action. Public advisories are common for repeat offenders.

Parallel and complementary remedies

  • BSP Consumer Assistance (if the creditor is a bank/EMI or a bank-partner product).
  • Civil actions: damages under the Civil Code (e.g., invasion of privacy), and small claims for disputed fees/charges (no lawyers required up to the current threshold).
  • Criminal complaints (when applicable): grave threats, unjust vexation, extortion, libel, violations of the Cybercrime Prevention Act. Coordinate with PNP-ACG/NBI-Cybercrime.
  • Telco remedies: number blocking; spam reports.
  • App stores: report violations of developer policies (debt-collection harassment and excessive permissions).

What to ask for (sample “menu” of reliefs)

When writing to the DPO, NPC, or SEC, consider requesting:

  1. Immediate stop to harassment and third-party contacts.
  2. Deletion/erasure of device-harvested contacts and any data not strictly necessary for loan servicing.
  3. Written confirmation of deletion and future processing limits.
  4. Rectification of inaccurate records; access to all data and disclosure logs.
  5. Platform takedown (if unregistered/abusive OLP) and public advisory.
  6. Damages/apology (if mediated), without prejudice to other remedies.
  7. No-contact commitment except via your designated channel and within reasonable hours.

Practical drafting tips

  • Be precise: “On 12 Sept 2025 at 10:14 a.m., collector number +63 9XX XXX XXXX called my employer and disclosed my debt.”
  • Bundle evidence: label screenshots by date/time; export call logs; keep raw files.
  • Stay professional: regulators appreciate concise, chronological narratives with exhibits.
  • Protect third parties: redact contact numbers of family/friends before widely sharing evidence; provide unredacted copies only to the regulator via secure channels.
  • Don’t pay junk fees just to “stop the shaming” if you dispute them; note them in your filing.

Frequently asked questions (Philippines)

Q: The app says I “consented” when I installed it. Am I stuck? A: No. Consent must be freely given, specific, informed, and unambiguous. Tying excessive permissions (e.g., perpetual access to Contacts) to basic loan servicing is likely disproportionate. You can withdraw consent and object to incompatible processing at any time under the DPA.

Q: They messaged my entire phonebook. Is that automatically illegal? A: Disclosing your debt to unrelated third parties is generally unlawful under both privacy and unfair collection rules, absent a lawful basis (e.g., guarantor). It’s a strong ground for NPC and SEC action.

Q: Can I force them to delete my data? A: You can demand erasure/blocking of data not necessary for legal or contractual obligations (e.g., regulatory retention of transaction records). Data harvested from your contacts or gallery is rarely “necessary” and is commonly ordered deleted.

Q: Do I have to keep paying the loan? A: Harassment doesn’t erase legitimate debt. Continue to honor valid obligations or dispute unlawful charges via proper channels (mediation, small claims). Separate the collection abuse case from the loan balance question.

Q: They threatened arrest. A: Debt is a civil matter. Private lenders cannot order arrests. Threatening arrest is an unfair practice and can be reported to the SEC and law enforcement.

One-page checklists

NPC (Data Privacy) Complaint Checklist

  • Copy of your DSR/cease-and-desist sent to the DPO
  • Proof of sending and no/insufficient response
  • Verified complaint (facts, legal bases, reliefs)
  • Evidence pack (screenshots, call logs, policies)
  • ID and contact details
  • Willingness for mediation (tick “yes” if you want quick relief)

SEC (Unfair Collection / Illegal Lending) Complaint Checklist

  • Entity name and app/platform links
  • Registration status (if known) or “unknown”
  • Narrative of harassment and abusive tactics
  • Evidence pack (calls, messages, third-party disclosures)
  • Reliefs (takedown, fines, license action)
  • Your sworn statement (notarize if asked)

Short, reusable templates

A. Cease & Desist to Collector/Agency

I demand you stop contacting my contacts, employer, and family; stop threats and harassment; and limit contact to [email/number], weekdays 9:00–17:00 only. Any further third-party disclosures will be documented and filed with the NPC/SEC and law enforcement.

B. Notice to Employer/Contacts (damage control)

Any messages you received about me from [App/Lender] relate to unlawful debt-shaming practices. I have filed complaints with regulators. Please do not respond or engage; feel free to forward such messages to me for evidence.

Final reminders

  • Document everything and act quickly, but don’t panic.
  • Separate the harassment/privacy violations from the validity of the loan; pursue both tracks as needed.
  • If you feel overwhelmed, consult a lawyer or a legal aid clinic; bring this evidence pack to your first meeting.
  • Regulators move faster when complaints are organized, verified, and well-evidenced.

Stay safe, assert your rights, and don’t let abusive collection tactics go unchallenged.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login