Delete Personal Data from Online Lending App Philippines

(General legal information; not legal advice.)

1) The problem in context

Many online lending apps in the Philippines collect far more data than what is needed to grant and service a loan—often including contacts, photos/files, location, device identifiers, and social media details. Borrowers then discover that uninstalling the app does not necessarily delete the data already copied to the lender’s servers or shared with third parties (collection agencies, call/SMS vendors, analytics providers).

In Philippine law, the main legal tool for “deleting personal data” is the Data Privacy Act of 2012 (RA 10173), enforced by the National Privacy Commission (NPC). Depending on the lender’s status, SEC (for lending/financing companies) or BSP (for banks/BSP-supervised entities) may also be relevant—especially where data misuse is tied to abusive collection.

2) Key legal framework (Philippines)

A. Data Privacy Act (RA 10173) and its implementing rules

RA 10173 governs:

  • Collection, processing, storage, disclosure, and disposal of personal data
  • The rights of individuals (“data subjects”)
  • The obligations of organizations that decide why/how data is processed (“Personal Information Controllers” or PICs) and those that process data for them (“Personal Information Processors” or PIPs)

B. Why “delete my data” is not absolute

Philippine privacy law recognizes a right to erasure/blocking in appropriate cases, but it also allows controllers to retain certain data where there is a lawful basis and necessity—particularly for:

  • Contract performance (servicing an existing loan, accounting, reconciliation)
  • Legal obligation (record-keeping required by law/regulation, tax/audit)
  • Establishing, exercising, or defending legal claims (disputes, collections through lawful channels)
  • Legitimate interests (limited cases, balanced against your rights)

So the legally correct goal is often:

  1. Stop unlawful or excessive processing,
  2. Delete what must be deleted, and
  3. Limit retention to the minimum necessary for lawful purposes.

3) What “personal data” usually means in lending apps

Under RA 10173, personal data includes anything that identifies you or makes you identifiable. In lending apps, this commonly includes:

A. Identity and financial data

  • Name, date of birth, address, IDs, selfies
  • Employment and income details
  • Bank/e-wallet details, payment history
  • Credit-related information

B. Device and behavioral data

  • Phone model, device ID/advertising ID, IP address
  • App usage logs, timestamps, geolocation
  • Call/SMS metadata (sometimes requested or inferred)

C. Contacts and third-party data (high-risk area)

  • Your phonebook: names/numbers of family, friends, employer, co-workers
  • Sometimes messages to contacts or “reference checks” performed aggressively

Important: Your phonebook contains other people’s personal data. Lenders must have a lawful basis to process that third-party data, and “you tapped Allow” is not automatically a blanket permission to harass or disclose your debt to others.

4) Your rights that matter most when you want deletion

A. Right to be informed

You are entitled to know:

  • What data is collected
  • Why it is collected
  • Who it is shared with
  • How long it is kept
  • How to contact the company’s privacy office / Data Protection Officer (DPO)

B. Right to object

You can object to processing—especially for:

  • Non-essential uses (marketing, profiling, broad analytics)
  • Processing based only on consent that you withdraw
  • Uses that are excessive for the loan purpose (e.g., accessing contacts unrelated to underwriting)

C. Right to access and correction

Before pushing for deletion, it can be strategic to request:

  • A copy/summary of your data
  • A list of recipients/third parties the data was shared with
  • Correction of inaccurate records (to prevent “wrong person” collection)

D. Right to erasure or blocking (the “delete” right)

You may demand deletion/blocking when, for example:

  • The data is unlawfully processed
  • The data is no longer necessary for the declared purpose
  • You withdraw consent and there is no other lawful basis
  • The processing is excessive, irrelevant, or disproportionate
  • The data is being used for harassment, public shaming, or unauthorized disclosure

E. Right to damages and to file a complaint

If you suffer harm from privacy violations (including harassment enabled by data misuse), RA 10173 recognizes remedies including complaints before the NPC and potential civil damages, depending on proof and circumstances.

5) Lawful bases the lender may claim (and what you can still challenge)

Even if a lender refuses “full deletion,” you can still challenge scope and behavior.

A. “Contract necessity”

They may retain core data needed to:

  • Maintain your account and records
  • Compute balances, interest, fees
  • Prove payments and arrears
  • Resolve disputes

What you can still demand:

  • Limit data to what is necessary
  • Delete non-essential categories (contacts, media files, marketing profiles)
  • Stop third-party disclosures beyond lawful collection

B. “Legal obligation” (records retention)

They may need to keep certain documents for:

  • Tax, audit, accounting, regulatory compliance
  • Complaint-handling and fraud prevention

What you can still demand:

  • A written explanation of the specific retention purpose
  • A retention period (or criteria)
  • Restricted access, security controls, and no further sharing

C. “Legitimate interests”

Some lenders argue legitimate interests for fraud prevention and security.

What you can still demand:

  • A balancing explanation (why their interest overrides your rights)
  • Deletion of data not needed for that purpose
  • Blocking of processing that causes harassment or unreasonable intrusion

6) The practical reality: uninstalling is not deletion

Uninstalling usually only removes the app from your phone. It does not automatically:

  • Delete server-side copies
  • Cancel sharing to vendors/collectors
  • Remove your data from backups
  • Remove your data from call/SMS platforms or CRM systems

A legally meaningful deletion attempt requires a formal data subject request to the company, plus targeted steps to prevent further collection.

7) Step-by-step: how to pursue deletion under Philippine law

Step 1: Freeze new data collection from your phone

Do this first to stop further intake:

  • Revoke app permissions (Contacts, Storage/Files, Location, Phone, SMS) in phone settings
  • Disable background data and remove “always allowed” permissions
  • If the app uses web portals, change passwords and enable stronger security
  • Screenshot current permissions and privacy settings (evidence)

Step 2: Gather key identifiers and evidence

Prepare:

  • The app name and the company name (as shown in the app, website, or loan contract)
  • Your registered email/phone number and account ID
  • Screenshots of privacy notice/permissions prompts
  • Proof of harassment or contact-spamming (if relevant)

Step 3: Send a formal “Data Subject Request” (DSR)

Send to the lender’s official support email and any posted privacy/DPO contact channel.

Your request should include three clear parts:

  1. Access/Disclosure request (optional but powerful) Ask for:

    • Categories of personal data held
    • Purposes and lawful bases
    • Sources of data
    • List of third parties the data was disclosed to (collectors, vendors)
    • Retention period or criteria

  2. Erasure/Blocking request Demand deletion or blocking of:

    • Contacts and any imported phonebook data
    • Photos/files and any copied storage items
    • Marketing and profiling data
    • Any processing not strictly necessary for an existing lawful purpose
    • Any disclosures to third parties not necessary and lawful

  3. Withdrawal of consent + objection State that you:

    • Withdraw consent for processing not necessary for the loan’s legitimate servicing and legal compliance
    • Object to processing for marketing, profiling, contact-mining, or shaming tactics
    • Demand that any third-party processors/collectors be instructed to delete/block the data as well

Identity verification: Expect them to ask for ID to prevent wrongful deletion requests by impostors. Provide only what’s necessary (and watermark copies where reasonable).

Step 4: Demand deletion downstream (third parties)

Online lenders often outsource collections and communications. Require the lender to:

  • Identify the collection agencies and vendors processing your data
  • Provide written confirmation that they instructed these parties to delete/block the relevant data
  • Stop all processing that outlining your debt to third parties

Step 5: Ask for written confirmation and a “retention-minimization” plan

If they claim they must retain some data:

  • Require a written breakdown of what they will keep and why
  • Require the data to be restricted (no marketing, no contact-spam, no disclosure)
  • Require a retention end-date or criteria, and deletion after that point

Step 6: Escalate if ignored or refused without adequate legal basis

If you receive no meaningful response or you have evidence of misuse (contacts harassment, disclosure, shaming):

  • File a complaint with the National Privacy Commission (NPC).
  • Attach evidence: screenshots, messages, call logs, privacy notice, your DSR email, and their reply (or lack of reply).

If the lender is a lending/financing company, parallel complaint avenues may exist with the SEC when data misuse is tied to prohibited collection practices. If the lender is a bank/BSP-supervised entity, consumer protection escalation can also be relevant.

8) What to request for each common data category (a targeted approach)

A. Contacts (phonebook) — request deletion with urgency

Ask for:

  • Immediate deletion of all imported contacts
  • Prohibition on further access
  • Confirmation they did not store or share contacts; if they did, identify recipients and order deletion
  • Blocking of any “reference contact blasting” practices

Why strong: Contacts are typically not necessary to service a loan after underwriting, and they contain third-party personal data.

B. Photos, files, storage — request deletion unless strictly required

If the app copied:

  • Government IDs, selfies
  • Payslips, bank screenshots
  • Utility bills

They may lawfully retain certain onboarding documents for compliance and dispute defense, but you can still demand:

  • Deletion of unrelated media/files
  • Security controls and restricted access
  • No reuse for marketing or disclosure

C. Location and device tracking — request stop + delete non-essential logs

Ask them to:

  • Stop collecting location/device telemetry unless necessary for fraud prevention/security
  • Delete historic location logs and advertising IDs used for profiling
  • Disable cross-app tracking and third-party ad analytics tied to your identity

D. Collection communications (SMS/calls/WhatsApp/FB, etc.)

Even if they keep a ledger record, you can demand:

  • Blocking of abusive messaging scripts
  • Deletion of your number from marketing lists
  • Termination of third-party dialer/SMS vendor processing not needed for lawful collection

9) When “deletion” conflicts with an unpaid loan

If there is an outstanding balance, lenders often keep:

  • Contract and identity verification
  • Payment history and ledger
  • Communications records related to servicing/collection
  • Internal risk notes (limited)

You can still insist on:

  • Deleting contacts and third-party data
  • Deleting marketing/profiling data
  • Stopping disclosure to unrelated third parties
  • Limiting processing to lawful, proportionate, non-harassing collection methods
  • Ceasing any publication/shaming and removing posts

Deletion is not a substitute for debt resolution, but privacy rights restrict how lenders may pressure payment.

10) Strong indicators of unlawful processing in online lending (Philippine setting)

These patterns frequently support an erasure/blocking demand and NPC complaint:

  • The app collected contacts without a clear necessity and later used them to pressure you
  • The lender disclosed your debt status to people who are not parties to the contract
  • Messages include threats of arrest for mere non-payment
  • The lender posted your personal data publicly (“shame lists,” social media posts)
  • The lender continues processing after you withdrew consent for non-essential purposes
  • The lender cannot provide a clear privacy notice, lawful basis, retention policy, or DPO contact

11) A practical template you can adapt (short, formal)

Subject: Data Subject Request – Access, Erasure/Blocking, and Withdrawal of Consent (RA 10173)

Body (core points):

  • Identify yourself and your account details (registered name, phone/email, account/loan number).
  • Request (1) categories of data held, purposes, lawful bases, recipients/third parties, retention period; (2) deletion/blocking of contacts, non-essential data, marketing/profiling data; (3) withdrawal of consent and objection to non-essential processing; (4) confirmation that all processors/collection agencies were instructed to delete/block; (5) written confirmation of completion and what data (if any) must be retained with legal basis and note of restricted use.

Keep it factual, not emotional, and attach only necessary ID verification.

12) What the lender’s response should look like (minimum acceptable)

A compliant response should typically include:

  • Confirmation of identity verification steps
  • A list of personal data categories held
  • Purposes and lawful bases for each category
  • Names/types of third parties who received data
  • Specific items deleted/blocked and the effective date
  • Any retained data with clear retention basis and restriction
  • Contact details for the privacy office/DPO

Vague replies like “We comply with data privacy” without specifics are usually inadequate.

13) Evidence and safety considerations

Because privacy disputes can overlap with abusive collection:

  • Keep screenshots, timestamps, and call logs
  • Save copies of emails and delivery receipts
  • Avoid sending unnecessary sensitive documents
  • Consider watermarking ID copies (“For privacy verification only” + date)

14) Bottom line

In the Philippines, deleting personal data from an online lending app is principally enforced through RA 10173. You can demand erasure/blocking of data that is unlawful, excessive, or no longer necessary—especially contacts and third-party data—while the lender may lawfully retain a minimal set of records needed for contract servicing, legal compliance, and dispute defense. The most effective approach is a written, targeted data subject request that combines withdrawal of consent, objection, deletion/blocking, and third-party deletion instructions, backed by preserved evidence.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login