Data Privacy Rights: How to Request Deletion of Personal Data from Lending Apps

In the Philippines, the rapid proliferation of Financial Technology (FinTech) and Online Lending Applications (OLAs) has revolutionized access to credit. However, this convenience often comes at the cost of extensive personal data collection. Under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA), borrowers are not merely "customers" but data subjects endowed with specific, enforceable rights. Among the most critical of these is the Right to Erasure or Blocking.

The Legal Framework: RA 10173 and the Right to Erasure

Section 16(e) of the DPA provides data subjects the right to suspend, withdraw, or order the blocking, removal, or destruction of their personal information from a personal information controller’s (PIC) filing system. This is colloquially known as the "right to be forgotten."

In the context of lending apps, this right is triggered when:

  1. The personal information is incomplete, outdated, false, or unlawfully obtained.
  2. The personal information is being used for unauthorized purposes.
  3. The personal information is no longer necessary for the purposes for which they were collected.
  4. The data subject withdraws consent or objects to the processing, and there is no other legal ground or overriding legitimate interest for the processing.
  5. The data concerns private information that is prejudicial to the data subject, unless justified by freedom of speech, of expression, or of the press or otherwise authorized by law.

Grounds for Requesting Deletion

A borrower can demand that a lending app delete their data under several specific circumstances:

  • Loan Fulfillment: Once a loan is fully paid and the account is closed, the primary "contractual necessity" for holding the data may expire, depending on the company's retention policy.
  • Withdrawal of Consent: If a borrower previously consented to the app accessing their contacts or social media (which is now strictly regulated by the NPC), they may withdraw that consent.
  • Illegal Processing: If the app is found to be using data for "debt shaming" or contacting persons in the borrower's contact list who are not co-makers or guarantors, the processing becomes unlawful.

The Conflict: Debt vs. Data Privacy

It is a common misconception that a borrower can delete their data to escape a debt. The DPA provides clear limitations to the right to erasure.

Aspect Right to Erasure Applies Right to Erasure is Limited
Loan Status Loan is fully settled; no pending obligations. Loan is active, in default, or unpaid.
Legal Basis Data processing was based solely on consent. Data processing is necessary for a contract or legal obligation.
Regulatory Requirement No statutory retention period exists. Compliance with AMLA (Anti-Money Laundering Act) or BSP regulations.
Company Interest Data is used for marketing or secondary purposes. Data is needed to protect the lender's right to collect a debt.

Note: Lending apps are often required by the Bureau of Internal Revenue (BIR) and the Bangko Sentral ng Pilipinas (BSP) to retain transaction records for a period of five (5) to ten (10) years. In such cases, the app may "block" the data from active use rather than deleting it entirely.

Step-by-Step Process for Requesting Deletion

If you believe you have the grounds to request the deletion of your personal data, follow this legal procedure:

1. Contact the Data Protection Officer (DPO)

Under the DPA, every lending company (duly registered with the SEC) is required to have a Data Protection Officer. Locate the DPO’s contact information via the app’s Privacy Policy or the "Contact Us" section.

2. Submit a Formal Written Request

Your request should be formal and include:

  • Your full name and account details.
  • The specific data you wish to be deleted (e.g., contact list, photos, or the entire account).
  • The legal ground for the request (e.g., "The loan has been settled as of [Date], and the data is no longer necessary").
  • A request for a written confirmation that the data has been erased or blocked.

3. The 30-Day Window

The company generally has thirty (30) days to act upon your request. They may either grant the deletion or provide a legal justification as to why they must retain certain data (e.g., "Retained for 5 years per AMLA requirements").

4. Escalation to the National Privacy Commission (NPC)

If the lending app ignores the request, refuses without legal basis, or continues to use the data (e.g., persistent marketing or harassment), the borrower may file a formal complaint with the NPC.

Prohibited Acts by Lending Apps

The NPC has issued specific circulars (e.g., NPC Circular No. 20-01) prohibiting certain data processing activities by OLAs:

  • Accessing Contacts/Photos: Apps cannot require access to your contact list or gallery as a condition for a loan.
  • Debt Shaming: Using personal data to harass, shame, or threaten borrowers or their contacts is a criminal offense under the DPA and the Cybercrime Prevention Act.
  • Unauthorized Disclosure: Sharing your delinquency status with third parties (other than credit bureaus authorized by law) is a violation of privacy.

Summary of Rights

As a borrower in the Philippines, your data is protected by law. While the right to erasure is not absolute—especially when a debt remains unpaid—it serves as a shield against the perpetual retention and misuse of your personal information once the professional relationship with the lender has concluded. Proper documentation and direct communication with the company’s DPO are the most effective tools for exercising these rights.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login