Data Privacy Act: How to Request Data Deletion From Loan Apps (Philippines)

Data Privacy Act: How to Request Data Deletion From Loan Apps (Philippines)

Introduction to the Data Privacy Act of 2012

The Data Privacy Act of 2012 (Republic Act No. 10173, or DPA) is the cornerstone of data protection law in the Philippines. Enacted on August 15, 2012, and effective from September 8, 2012, the DPA safeguards the fundamental right to privacy of communication and correspondence, as enshrined in Section 3, Article III of the 1987 Philippine Constitution. It regulates the processing of personal information—defined as any information from which a living individual can be identified, either directly or indirectly—by personal information controllers (PICs) and personal information processors (PIPs).

In the context of digital financial services, such as loan applications (commonly known as "loan apps"), the DPA is particularly relevant. Loan apps, including popular platforms like those operated by fintech companies, collect vast amounts of personal data, including sensitive personal information (SPI) such as financial details, biometric data, location information, and even health-related data if tied to loan eligibility assessments. These apps must register with the National Privacy Commission (NPC), the DPA's implementing body, and adhere to strict data processing principles: transparency, legitimate purpose, proportionality, and security.

The DPA's Implementing Rules and Regulations (IRR), issued via NPC Circular No. 2016-001 and subsequent amendments, provide detailed guidelines on compliance. For loan apps, additional oversight comes from the Bangko Sentral ng Pilipinas (BSP) under Circular No. 944 (2013) and the Securities and Exchange Commission (SEC) for digital lending regulations, but the DPA remains the primary framework for data rights enforcement.

Rights of Data Subjects Under the DPA

As a data subject (any individual whose personal data is processed), you possess several enforceable rights under Sections 16 to 22 of the DPA. These rights are designed to empower individuals against overreach by PICs like loan app operators. Key rights relevant to data deletion include:

  • Right to Access: You can obtain details on what personal data a PIC holds about you, how it is processed, and to whom it is disclosed.

  • Right to Rectification: Correct inaccurate or incomplete data.

  • Right to Blocking, Removal, or Destruction (Erasure): This is the core right for requesting data deletion. Under Section 17 of the DPA, you may demand the blocking (temporary suspension of processing), removal (permanent deletion from records), or destruction (irreversible elimination) of your personal data under specific grounds:

    • The processing is unlawful.
    • The data subject's consent was withdrawn (if consent was the basis for processing).
    • The purpose for which the data was collected has been achieved or is no longer relevant.
    • The PIC violated your rights under the DPA.
    • Retention exceeds the prescribed period (e.g., under NPC Circular No. 2022-01, personal data should not be retained longer than necessary, typically 5-10 years for financial records unless required by law).
    • Inaccurate, incomplete, or outdated data that cannot be rectified.
    • For SPI, additional protections apply, as its processing requires explicit consent and is subject to stricter scrutiny.

  • Right to Damages: If your rights are violated, you can seek compensation for material (e.g., financial loss) or moral damages (e.g., emotional distress).

  • Right to Lodge a Complaint: With the NPC if the PIC fails to comply.

These rights apply to all personal data processed by loan apps, including application forms, loan histories, repayment records, device IDs, IP addresses, and shared data with credit bureaus like the Credit Information Corporation (CIC).

Applicability to Loan Apps in the Philippine Context

Loan apps in the Philippines operate under a booming fintech ecosystem, regulated by the BSP's Digital Banking Framework and the SEC's rules on digital lending platforms. As of 2025, over 100 registered digital lenders exist, many using apps to streamline loan approvals via algorithms that analyze personal data. However, this convenience often leads to data privacy risks, such as unauthorized sharing with third parties (e.g., debt collectors or advertisers) or data breaches, as seen in past NPC investigations into apps like those flagged for predatory practices.

Under the DPA, loan app operators are PICs if they determine the purpose and means of data processing. They must:

  • Obtain clear, free, and informed consent before collecting data (NPC Advisory No. 2020-01 emphasizes this for digital platforms).
  • Implement data privacy systems (DPS), including privacy impact assessments for high-risk processing like automated loan decisions.
  • Notify data subjects of any data breach within 72 hours (NPC Circular No. 2016-002).
  • Comply with the Data Privacy Act's cross-border transfer rules if data is sent abroad (e.g., to foreign servers).

The NPC has issued specific advisories on fintech, such as NPC Bulletin No. 2021-03, warning against loan apps that harass borrowers or misuse data for collections. In 2023-2024, the NPC fined several apps for DPA violations, underscoring enforcement vigor. If a loan app has been delisted by the SEC (as some predatory ones have), this strengthens grounds for deletion requests, as their legal basis for data retention may cease.

Step-by-Step Guide: How to Request Data Deletion From Loan Apps

Requesting data deletion is a formal process under Sections 17 and 20 of the DPA. PICs must respond within a reasonable period—not exceeding 45 working days, as per best practices in NPC guidelines—and provide a written explanation if denying the request. Here's a comprehensive guide:

Step 1: Verify Your Eligibility and Gather Evidence

  • Confirm you are a data subject: If you've applied for, availed of, or even just browsed a loan app, your data (e.g., name, contact details, financial history) may have been collected.
  • Identify grounds for deletion: Review the app's privacy policy (mandated under DPA Section 20) to check consent validity, retention periods, and processing purposes. Common grounds include withdrawn consent post-loan repayment or if the app violated terms (e.g., unsolicited marketing).
  • Collect supporting documents: Loan agreements, transaction receipts, screenshots of privacy notices, or proof of consent withdrawal.

Step 2: Identify the Personal Information Controller (PIC)

  • The PIC is typically the loan app's operating company, not just the app itself. Check the app's footer, privacy policy, or Google Play/Apple App Store listing for the company name and contact details.
  • Registered PICs must have a Data Protection Officer (DPO). Contact them via email, registered mail, or the app's support portal. For BSP-regulated entities, use official channels to avoid scams.

Step 3: Submit a Formal Written Request

  • Format: Use a letter or email titled "Request for Data Erasure under the Data Privacy Act of 2012." Include:
    • Your full name, contact details, and any user ID/account number.
    • Specific data to be deleted (e.g., "all personal and financial data associated with my loan application dated [date]").
    • Grounds for the request (cite DPA Section 17 and specific reasons).
    • Preferred method of confirmation (e.g., written acknowledgment of deletion).
    • Deadline: Request compliance within 15-30 working days.
  • Delivery: Send via traceable means (e.g., email with read receipt, certified mail). If the app has a dedicated privacy request form, use it.
  • Sample Template:
    [Your Name]
[Your Address]
[Date]

[PIC's DPO or Company Name]
[PIC's Address/Email]

Subject: Request for Blocking, Removal, or Destruction of Personal Data under RA 10173

Dear [DPO/PIC Representative],

I am writing to exercise my rights as a data subject under Section 17 of the Data Privacy Act of 2012. I request the immediate [blocking/removal/destruction] of my personal data, including [list specifics, e.g., name, phone, financial records], processed by your organization via [app name] under account [ID].

Grounds: [e.g., Consent withdrawn; purpose (loan processing) fulfilled; data no longer necessary.]

Please confirm compliance in writing within [15-30 days] and provide details on actions taken.

Sincerely,
[Your Signature]

Step 4: Follow Up and Escalate if Necessary

  • Track response: PICs must acknowledge receipt promptly. If no response within 45 days, send a follow-up.
  • If granted: Obtain confirmation of deletion, including any data shared with third parties (PICs must notify recipients under DPA IRR).
  • If denied: The PIC must justify in writing (e.g., legal retention requirements under the Anti-Money Laundering Act or tax laws). You can:
    • Appeal internally to the PIC's senior management.
    • File a complaint with the NPC via their online portal (privacy.gov.ph), email (npc@npc.gov.ph), or at their office (Quezon City). Include your request copy and PIC's response. The NPC can investigate, impose corrective orders, or fines up to PHP 5 million (DPA Section 25).
    • Seek judicial relief: File a civil case in Regional Trial Court for damages (DPA Section 20).

Step 5: Monitor and Prevent Future Issues

  • Uninstall the app and revoke app permissions on your device.
  • Check credit reports via CIC to ensure deleted data isn't lingering.
  • For multiple apps, repeat the process; consider using NPC's data rights template tools.

Challenges and Common Pitfalls

  • Retention Obligations: Loan apps may retain data for 5-10 years under BSP or tax laws (e.g., National Internal Revenue Code). Deletion applies only to non-mandatory data.
  • Third-Party Sharing: If data was shared (e.g., with collection agencies), the PIC must facilitate deletion from those parties.
  • Automated Processing: Loan apps using AI for decisions must explain processing (DPA Section 19); challenge if it leads to unfair denial of deletion.
  • Predatory Apps: If the app is unlicensed, report to SEC/BSP alongside NPC for stronger leverage.
  • Costs: Requests are free, but legal aid may be needed for escalations (contact Integrated Bar of the Philippines for pro bono).
  • Time Sensitivity: Act promptly, as NPC complaints have a 3-year prescription period from discovery of violation.

Penalties for Non-Compliance

Violations by loan apps can result in:

  • Administrative fines: Up to PHP 5 million per violation.
  • Criminal penalties: Imprisonment of 1-6 years for willful breaches (DPA Sections 25-28).
  • Civil liabilities: Indemnification for damages. The NPC has ramped up enforcement, with over PHP 100 million in fines issued since 2020, including against fintech firms.

Conclusion

The Data Privacy Act empowers Filipinos to reclaim control over their personal data from loan apps, promoting a fair digital economy. By exercising your right to erasure, you not only protect your privacy but also hold PICs accountable. Always document interactions and consult the NPC's resources (e.g., their website or hotlines: 02-8527-2751) for guidance. In an era of data-driven lending, vigilance ensures that convenience does not come at the expense of your rights. For personalized advice, consider consulting a lawyer specializing in data privacy law.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login