Data Privacy Rights to Delete Personal Information From Online Lending Apps in the Philippines

1) Why this matters in the Philippine online lending context

Online lending apps (often called “OLAs”) commonly collect highly sensitive and wide-ranging information—identity documents, selfies, employment details, bank or e-wallet information, device identifiers, location data, behavioral metadata, and sometimes even contact lists and social media data. When a borrower wants their data removed—because a loan is fully paid, an application was rejected, they withdrew consent, or the app’s collection practices felt excessive—Philippine law provides a framework for deletion or blocking of personal data, but it is not an absolute “delete everything immediately” right. It is a right exercised within rules on lawful processing, proportionality, retention, and legitimate bases for keeping data.

The primary law is the Data Privacy Act of 2012 (Republic Act No. 10173) (“DPA”), implemented through its IRR and National Privacy Commission (“NPC”) issuances.

2) The legal framework: what laws and regulators are involved

A. Republic Act No. 10173 (Data Privacy Act of 2012)

The DPA applies to entities that process personal data in the Philippines or that use equipment located in the Philippines (with typical exceptions). Online lending apps and their operators generally qualify as Personal Information Controllers (PICs) (decide what data is collected and why) and/or Personal Information Processors (PIPs) (process data on behalf of another entity). Many OLAs function as PICs.

Key principles relevant to deletion:

  • Transparency (you must be informed)
  • Legitimate purpose (processing must have a lawful, declared purpose)
  • Proportionality (collect only what is necessary)
  • Retention limitation (keep data only as long as necessary for the purpose or as required by law)
  • Security (protect the data while kept)

B. National Privacy Commission (NPC)

The NPC enforces the DPA. It investigates complaints, issues compliance orders, and can recommend prosecution for certain violations.

C. Sector regulators (often relevant in practice)

While your deletion right is anchored on the DPA and NPC, OLAs may also be subject to other regulators depending on structure:

  • SEC (for lending/financing companies and related practices, including conduct standards)
  • BSP (if the entity is a supervised financial institution or connected to regulated payment systems) These regulators do not replace NPC’s role on data privacy, but they can be relevant when privacy abuse is part of broader misconduct (e.g., harassment and unlawful disclosure during collections).

3) What “delete” means under Philippine data privacy law

In Philippine privacy practice, “delete” often appears as the right to erasure or to blocking (restricting further processing), depending on context.

  • Erasure / Destruction: removing personal data so it can no longer be retrieved in identifiable form (including deletion from active systems, archives, and backups within reasonable technical limits).
  • Blocking / Restriction: retaining data but preventing its further use, disclosure, or processing except for limited legal purposes (e.g., defense of legal claims, compliance).
  • Anonymization: removing identifiers so the remaining data can no longer be linked to you (true anonymization is hard; if re-identification is reasonably possible, it’s still personal data).

In a lending setting, a company may be justified in retaining certain data for lawful purposes even after you ask for deletion—especially for audit, dispute resolution, fraud prevention, legal compliance, and defense against claims. The law focuses on retention limitation and necessity, not automatic deletion on demand.

4) Your core data subject rights that support deletion requests

Under the DPA, a data subject (you) has several rights that work together:

A. Right to be informed

You must be told what data is collected, why, how it will be used, who it will be shared with, and how long it will be retained.

B. Right to object (including withdrawal of consent where consent is the basis)

If processing is based on consent, you can withdraw it. If processing is based on other grounds (contract, legal obligation, legitimate interests), “withdrawal of consent” may not stop processing that is necessary on those other grounds—but it can stop optional/excessive processing.

C. Right to access and rectification

Before pushing for deletion, borrowers often request access to:

  • all data collected,
  • the sources of data,
  • the recipients/third parties the data was disclosed to,
  • retention periods and justification.

This helps you identify what must be deleted and what is unlawfully held.

D. Right to erasure or blocking

This is the right most directly related to deletion. It is commonly invoked when:

  • data is no longer necessary for the stated purpose,
  • processing is unlawful or excessive,
  • consent was withdrawn and no other legal basis exists for continued processing,
  • data is inaccurate and the controller refuses to correct it,
  • processing causes unwarranted damage or violates your rights.

E. Right to damages and to file a complaint

If you suffered harm (financial loss, harassment, reputational damage, emotional distress) from unlawful processing or disclosure, you may pursue remedies. The DPA also includes criminal offenses for certain acts (e.g., unauthorized access, disclosure, negligent handling).

5) The lawful bases OLAs typically rely on—and how they affect deletion

In the Philippines, OLAs generally justify processing using one or more of these bases:

A. Contract / Pre-contractual necessity

If you applied for a loan, the app may process data necessary to evaluate eligibility, prevent fraud, and service the loan. Even if you later request deletion, the controller can often retain data needed to:

  • administer the loan,
  • document the transaction,
  • address disputes,
  • enforce the contract (including collections done lawfully).

B. Legal obligation

Certain records may be kept due to tax, accounting, financial reporting, or other regulatory requirements. This can justify retention beyond payoff.

C. Legitimate interests

A lender may claim legitimate interests such as fraud detection, security, risk management, and legal defense—provided those interests are not overridden by your fundamental rights, and provided the processing is necessary and proportionate.

D. Consent

Consent is often used for optional data uses (marketing, access to phone features, contact list syncing, location tracking not strictly needed). Consent must be freely given, specific, informed, and time-bound in spirit. If the app uses consent as a catch-all for intrusive access, that is vulnerable to challenge under proportionality and transparency rules.

Practical implication: Deletion requests are strongest where the data is not necessary for the loan relationship or compliance, and weakest where data must be retained for legal defense or legal obligations. Many disputes turn on whether the app collected too much (e.g., harvesting contacts) or used data for new purposes (e.g., shaming/harassment, mass messaging, or broad third-party sharing).

6) High-risk practices in OLAs that commonly violate deletion/retention principles

A. Accessing and uploading your contact list for “collections”

Collecting an entire contact list is difficult to justify as proportionate to credit evaluation or collections. Even when apps claim it’s for identity verification or reference checks, bulk harvesting is often excessive.

Deletion angle: You can demand:

  • deletion of contacts data obtained from your phone,
  • cessation of further use/disclosure,
  • proof that the data has been erased or irreversibly anonymized,
  • notice to third parties (processors/collection agencies) to delete the same data where appropriate.

B. Disclosing your debt status to third parties (friends, employers, contacts)

Sharing your loan status with people who are not parties to the loan is typically outside legitimate purpose and may be an unlawful disclosure.

Deletion angle: You can demand deletion of message logs, contact export lists, and dissemination lists, plus restriction orders internally to prevent repeat processing.

C. Indefinite retention “just in case”

Keeping full KYC packets, biometrics, device data, and communications without defined retention periods can violate retention limitation.

Deletion angle: Request the retention schedule and justification; ask for deletion or blocking once the stated purpose ends.

D. Using data for marketing or onward transfers

If your data is used for cross-selling, profiling, or shared with affiliates without a clear lawful basis, you can object and request erasure of marketing profiles, suppression lists, and third-party copies (where legally feasible).

7) When you can realistically demand deletion (and when you may only get blocking)

Strong cases for deletion/erasure

  1. You never proceeded with the application and no loan was granted, and the app has no lawful reason to keep data beyond a short evaluation period.
  2. Data collected was excessive (e.g., contacts, unrelated media/files, continuous location tracking).
  3. Processing was unlawful (no valid notice, deceptive permissions, purpose creep, unauthorized sharing).
  4. Consent-based processing was withdrawn and there is no alternate legal basis.

Common lawful reasons the app may keep some data (blocking may be appropriate instead)

  1. Loan documentation and payment records needed for audit/accounting/regulatory compliance.
  2. Records needed to defend legal claims (e.g., disputes about charges, fraud, identity theft).
  3. Fraud prevention and security logs retained for a defined period (must still be proportionate and secured).

A reasonable outcome in many legitimate lending relationships is partial deletion: delete what is unnecessary/excessive, and block or minimize what must be retained.

8) What OLAs must do when you request deletion or blocking

A compliant controller should be able to:

  • Verify your identity (without collecting more data than necessary).
  • Explain what data they hold and why it is held.
  • Identify which data can be erased and which must be retained, with legal justification.
  • Implement deletion across systems and instruct processors/third parties accordingly (where applicable).
  • Document actions taken.
  • Maintain security during the process.
  • Stop unauthorized disclosures and remediate if a breach occurred.

They should also have a reachable Data Protection Officer (DPO) or an equivalent contact point for privacy concerns.

9) How to exercise your deletion rights: a practical, Philippines-specific roadmap

Step 1: Collect evidence and define the scope

  • Screenshots of app permissions requested (contacts, SMS, storage, location).
  • Screenshots of harassment/shaming messages or calls (if applicable).
  • Proof of payoff or account closure.
  • The privacy notice and terms you were shown (or lack thereof).

Step 2: Send a written request to the OLA (email or in-app support)

Ask for:

  1. A copy of all personal data they hold about you (access request).
  2. A list of third parties they shared your data with (recipients, collection agencies, affiliates).
  3. Retention period for each data category and legal basis.
  4. Erasure of data no longer necessary, especially contacts and marketing profiles.
  5. Blocking/restriction of data that must be retained solely for compliance/legal defense.
  6. Confirmation that processors/third parties were instructed to delete or stop processing where appropriate.

Step 3: Escalate to the NPC if ignored or denied without justification

If the company:

  • refuses to act without explaining lawful basis,
  • continues contacting your friends/contacts,
  • keeps harvesting or disclosing,
  • or fails to provide access/retention details,

you can file a complaint with the NPC. NPC processes are document-heavy; keep organized evidence and a timeline.

Step 4: Consider parallel complaints if the conduct is broader than privacy

If the situation includes harassment, threats, or public shaming, privacy enforcement can be paired (where applicable) with complaints to other regulators or law enforcement, depending on facts. The privacy component focuses on unlawful processing/disclosure and inadequate safeguards.

10) A strong deletion request template (adapt as needed)

Subject: Data Privacy Request – Access, Erasure/Blocking, and Cessation of Unlawful Processing

Body (core points):

  • Identify yourself (full name used in the app, registered mobile number/email, loan/application reference if available).

  • State your request under the Data Privacy Act of 2012:

    1. Provide a copy of all personal data you process about me and the sources of such data.
    2. Provide the purposes, lawful bases, and retention periods per data category.
    3. Provide the identities/categories of third parties to whom my data was disclosed, including collection agencies and service providers.
    4. Erase personal data that is no longer necessary for the declared purpose, including (if applicable) my device contact list data, contact exports, marketing profiles, and any data processed beyond what is necessary for credit evaluation/servicing.
    5. Where you claim a legal obligation or legal defense basis for retention, restrict/block the data from any further processing or disclosure unrelated to compliance/legal defense.
    6. Confirm in writing the actions taken, including instructions issued to your processors/third parties.

  • If relevant: demand cessation of contacting third parties about your loan, and deletion of dissemination lists used for such acts.

Keep the tone factual. Avoid emotional language; stick to traceable claims.

11) Remedies and consequences for noncompliance (overview)

A. Administrative and corrective actions

The NPC can order compliance measures such as:

  • stopping unlawful processing,
  • implementing security safeguards,
  • deleting or blocking data,
  • improving privacy governance (policies, DPO, breach handling).

B. Civil liability (damages)

If you suffered harm due to unlawful processing or disclosure, you may pursue compensation where warranted by facts and evidence.

C. Criminal offenses (in serious cases)

The DPA criminalizes certain acts such as unauthorized processing, unauthorized access/disclosure, and negligent access that leads to breaches. Whether a specific case rises to a criminal level depends heavily on proof of intent, acts, and harm.

12) Special issues: backups, third parties, and “can they really delete it?”

Backups and archives

Complete immediate deletion from backups is not always technically instant. A reasonable standard is:

  • delete from active systems promptly,
  • ensure backups are overwritten on normal cycles,
  • prevent restoration into active use,
  • block processing while retained for disaster recovery.

Third-party collectors and service providers

If the OLA shared your data with:

  • collection agencies,
  • cloud service providers,
  • analytics vendors,
  • KYC vendors,

a responsible controller should cascade your valid deletion/blocking request where applicable. Some data may still be retained by third parties for their own legal obligations; the key is to stop unnecessary processing and disclosure.

“Blacklists” and fraud databases

Fraud prevention records may be retained under legitimate interests, but they must be proportionate, accurate, and retained for a defined period. You can challenge inaccurate or unfair listings and request rectification or restriction.

13) Practical expectations after loan payoff or account closure

If you fully paid:

  • You can reasonably request deletion of excessive data (contacts, marketing, nonessential telemetry) and request minimization of KYC beyond what must be retained for compliance.
  • You can request that the account be marked closed, processing limited, and disclosures stopped.
  • You can demand clarity on retention: what is kept, for how long, and why.

If you only inquired/applied but never got a loan:

  • You can often demand broader deletion, because the contract basis may not exist and necessity ends quickly once evaluation ends (subject to fraud/security retention that must still be proportionate).

14) Key takeaways

  • In the Philippines, the right to delete personal data from online lending apps exists primarily as the right to erasure and/or blocking, grounded in the DPA’s principles of legitimate purpose, proportionality, and retention limitation.
  • Deletion is not absolute: apps may lawfully retain limited data for compliance, auditing, fraud prevention, and legal defense—but must justify it and restrict use.
  • The strongest deletion claims arise when OLAs collect contacts and other excessive data, disclose debt status to third parties, or retain data indefinitely without a clear, lawful purpose.
  • Effective enforcement starts with a written, evidence-backed request to the OLA and escalates to the National Privacy Commission when the controller refuses, ignores, or continues unlawful processing.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login