Handling Harassment from Online Lending Apps Contacting Personal Contacts in the Philippines

This is practical legal information for the Philippines. It is not a substitute for advice from your own lawyer. Laws and procedures can change; treat this as a starting point.

Executive summary

If a lending app (“OLA”) is shaming you by texting or calling your family, co-workers, or friends, that conduct is generally unlawful in the Philippines. Several legal regimes protect you and your contacts:

Data Privacy Act of 2012 (DPA) and its IRR: Using your phone’s contact list and messaging those people about your debt is typically unauthorized processing of personal data and a privacy violation, even if you clicked “allow contacts.”
SEC rules on unfair debt collection (for registered lending/financing companies): Threats, public shaming, and contacting people other than you (or your valid guarantor/co-maker) are prohibited.
Financial Products and Services Consumer Protection Act (RA 11765): Bars abusive collection by regulated financial providers and gives regulators broader enforcement powers.
Revised Penal Code & Cybercrime law: Depending on the facts, the behavior may also be grave/coercive threats, unjust vexation, libel/slander, or extortion.
Civil Code (Arts. 19–21): You may sue for damages for abuse of rights/humiliation.

You can (1) protect yourself and your contacts, (2) invoke your privacy rights and demand the lender stop, (3) complain to regulators (NPC and SEC) and, where appropriate, (4) pursue criminal/civil remedies.

Why contacting your contacts is usually illegal

1) Data Privacy Act (RA 10173)

Who is protected: You and your contacts (they’re “data subjects” even if they never used the app).
Why it’s unlawful:
- Lack of valid consent. Consent under the DPA must be freely given, specific, informed, and evidenced. “Bundled” consent (e.g., “allow contacts or you can’t use the app”) is suspect.
- No lawful basis for processing third-party data. Your contacts didn’t consent, and “legitimate interests” doesn’t justify shaming or debt disclosure to third parties.
- Purpose limitation and proportionality. Harvesting a full contact list and blasting messages to non-borrowers is excessive and not necessary to collect a debt.
Liability: Companies and responsible officers can face administrative liability (orders to stop, delete data, pay damages) and criminal penalties for certain acts (e.g., unauthorized processing and disclosure).

2) SEC regulation of lending/financing companies

Who is covered: Lending companies (RA 9474) and financing companies (RA 8556) registered with the SEC.
Key idea: The SEC has repeatedly barred unfair debt collection practices such as threats, profane/abusive language, public shaming, and contacting third parties other than the borrower or a legitimate guarantor/co-maker—and even then, only to obtain location/contact information and without revealing the debt. Violations can lead to fines, suspension/revocation of the certificate of authority, and cease-and-desist orders.
Unregistered apps: Operating a lending business without an SEC certificate of authority is illegal. Report them.

3) Financial Products & Services Consumer Protection Act (RA 11765)

Scope: Banks (BSP-regulated), SEC-regulated lending/financing companies, and insurance entities.
What it adds: A broad prohibition on abusive collection and enhanced enforcement powers (administrative sanctions, restitution, CDOs) by the appropriate regulator (BSP, SEC, or Insurance Commission).

4) Possible crimes

Grave threats / coercion / unjust vexation.
Libel or slander (including online).
Extortion (asking money under threat of shaming or fabricated charges).
Violations of the Cybercrime Prevention Act when done online. You may file with the City Prosecutor (for inquest/complaint) and coordinate with PNP-Anti-Cybercrime Group or NBI-Cybercrime Division for digital evidence.

5) Civil liability

Under Articles 19–21, Civil Code, you can sue for moral and exemplary damages due to abusive, humiliating tactics, plus attorney’s fees.

Immediate steps (today)

Preserve evidence.
- Screenshots of messages/calls (showing numbers, timestamps, names).
- App permissions (screen grabs), consent screens, loan agreement, payment history.
- Messages your contacts received. Ask them to forward unaltered screenshots.
- Record calls if you can legally do so (PH generally allows recording if at least one party consents—you, in your own call).
Lock down the app’s access.
- On your phone: Settings → Apps → [App] → Permissions → Contacts/Storage/Phone → Deny.
- Uninstall the app after preserving evidence. If you still need access to your account for repayment, use the web portal if available.
- Change passwords and enable 2FA on email and financial apps.
Tell your contacts what’s happening.
- Explain it’s an unlawful practice and they can block/report the numbers.
- Ask them to save evidence and, if willing, file their own privacy complaints as affected data subjects.
Do not send IDs/selfies/“apology videos.”
- These are often demanded to escalate control and increase humiliation risk.
Decide your repayment plan separately from the harassment.
- If you truly owe money, you may still choose to repay on agreed terms—but coercive/abusive tactics do not erase your rights.
- Do not pay “penalties to stop shaming” that aren’t in your contract.
Report spam/threats to your telco through their spam reporting channels (e.g., the 7726 short code or official in-app spam tools), and block numbers.

Enforcing your rights

A) Send a Data Privacy “Cease & Desist + Erasure” letter (free)

Send to the lender’s Data Protection Officer (DPO) and company email/registered address.

Assert your rights:
- Right to object to processing for third-party outreach/shaming.
- Right to erasure/blocking of unlawfully collected third-party contacts.
- Right to restrict processing to what is strictly necessary to service/collect the debt.
Demand:
- Stop all communications to third parties;
- Delete any data from your contact list and confirm in writing;
- Disclose the legal basis they rely on, retention period, and data recipients;
- Provide the identity and contact of their DPO.
Attach: Proof of identity, screenshots, and your preferred contact channel (email only).

A template you can adapt appears at the end.

B) File a complaint with the National Privacy Commission (NPC)

Who can file: You and any contacts who received messages.
Before filing: The NPC typically expects that you first tried to resolve the issue with the company/DPO (keep proof).
What to submit: Sworn statement, evidence (screenshots, letters, IDs), details of the app/entity, and proof you reached out to their DPO.
What NPC can do: Order the company to cease processing, delete data, notify third parties, and pay damages/penalties under the DPA.

C) Report to the SEC (for lending/financing companies)

What to allege: Unfair debt collection and, if applicable, illegal operation (no certificate of authority).
What to include: The app/name of the entity, sample messages/calls, your loan details, and how they accessed your contacts.
Possible outcomes: Warnings, fines, suspension/revocation, public advisories, and cease-and-desist orders.

Tip: If you’re unsure which regulator has jurisdiction, file with both NPC (privacy) and SEC (collection conduct). If the provider is a bank or EMI, also complain to the BSP Consumer Assistance unit.

D) Consider criminal and civil action

For serious threats or defamation, consult a lawyer about filing a criminal complaint with the Prosecutor’s Office.
For damages (psychological harm, reputational loss), consider a civil action under the Civil Code and the DPA (damages and attorney’s fees).
If urgent, your counsel can seek injunctive relief to stop ongoing harassment.

Special situations

Unregistered or “fly-by-night” app: Stop engaging. Preserve evidence and report immediately to the SEC and law enforcement.
Identity theft (you didn’t borrow): File a formal dispute with the lender, a police blotter, and an NPC complaint for wrongful processing.
Employer is being contacted: Inform HR/Legal that these are unfair collection and privacy violations; ask them to block/report and preserve evidence.
Minors or vulnerable persons were contacted: Flag this in your NPC/SEC complaints; it increases the gravity of the breach.
You’re a contact being harassed (not the borrower): You can file your own NPC complaint as a data subject and send a cease-and-desist citing DPA rights. You have no obligation to provide information about the borrower.

Practical prevention for the future

Never grant “Contacts” permission to financial apps that don’t clearly need it.
Use a dedicated email/number for lending registrations to limit exposure.
Only borrow from regulated entities (banks, and SEC-registered lending/financing companies).
Read privacy notices and take screenshots of consent screens before you proceed.

Evidence checklist (attach to complaints)

Your ID (blur sensitive numbers not needed for verification).
Loan contract, app screenshots, payment records.
Permissions page showing whether “Contacts” access was enabled.
SMS/call logs and screenshots from you and your contacts (unaltered).
Your Cease & Desist letter and the company’s reply (or lack thereof).
Proof of the company’s identity: app page, emails, letters, registered address.

Frequently asked questions

Q: I clicked “Allow Contacts.” Did I waive my rights? A: No. Consent must be freely given, specific, and informed—and you cannot consent on behalf of your contacts. Over-broad, coercive, or bundled consents are challengeable.

Q: Can they sue me for posting about them online? A: Avoid posting confidential documents. Stick to truthful, necessary statements in complaints to authorities. Public posts risk counter-claims; ask a lawyer first.

Q: Will repaying stop the harassment? A: Sometimes—but it does not legitimize unlawful conduct that already occurred. You can still pursue complaints for past violations.

Q: Can a “reference” I listed be contacted? A: Regulators generally permit limited contact only to obtain location/contact information and without disclosing your debt. Shaming, repeated calls, or disclosures are improper.

Templates (adapt to your facts)

1) Data Privacy Cease & Desist + Erasure (Borrower)

Subject: NOTICE – Exercise of Data Subject Rights; Cease & Desist from Third-Party Contact

[Date]

Data Protection Officer
[Company Name]
[Company Address / Email]

I am [Full Name], borrower under Account/Loan No. [____]. Pursuant to the Data Privacy Act of 2012 and its IRR, I hereby:

1) OBJECT to any processing of my personal data for the purpose of contacting third parties (including persons in my device’s contact list) and to any disclosure of my debt or alleged debt to them;

2) DEMAND the immediate CESSATION of all communications to my contacts, co-workers, and employer; and

3) DEMAND ERASURE of any personal data of third parties obtained from my device or otherwise, and confirmation in writing within five (5) days that deletion has been completed.

Please provide within ten (10) days: (a) the lawful basis you rely on for processing my contacts’ data, (b) the list of data recipients, (c) your retention period, and (d) your Data Protection Officer’s full contact details.

Further harassment, threats, public shaming, or disclosure of my debt to third parties will be documented and reported to the National Privacy Commission, the Securities and Exchange Commission, and law enforcement for appropriate action.

You may contact me in writing at: [email]. Do not call or message any third party.

Sincerely,
[Name]
[Government ID No., masked copy attached]
[Address / Email / Mobile]

2) Data Privacy Cease & Desist (Third-Party Contact)

Subject: NOTICE – Unlawful Processing of My Personal Data; Cease & Desist

[Date]

Data Protection Officer
[Company Name]

I am [Full Name], a private individual who has no relationship with your company. On [dates], I received messages/calls regarding [Borrower’s Name]. You obtained and used my number without my consent.

Under the Data Privacy Act, I DEMAND that you:
(1) Cease all communications to me;
(2) Delete my personal data from your systems; and
(3) Confirm in writing within five (5) days.

Continued contact will be reported to the National Privacy Commission and other authorities. Do not contact me again.

[Name]
[Email / Mobile]

3) Core allegations to include in an NPC/SEC complaint

Identity of the company/app and, if known, its SEC registration details (or lack thereof).
How your contact list was accessed and how third parties were messaged.
Copies of messages/call logs; list of affected contacts (with their own statements if possible).
Your Cease & Desist letter and any response.
Harm suffered (humiliation at work, anxiety, sleep loss, reputational harm).
Specific relief sought: stop and delete, administrative penalties, and coordination with law enforcement.

One-page decision path

Is there ongoing harassment? → Yes: Preserve evidence → Send Cease & Desist → File NPC and SEC complaints (parallel).
Is the lender unregistered? → Yes: Flag illegal lending to SEC; still file NPC for privacy breach.
Are there threats/extortion/defamation? → Yes: Consult a lawyer; prepare criminal complaint; coordinate with PNP-ACG/NBI.
Do you intend to repay? → Keep proof of payments; insist on communications with you only and in writing.

Final notes

Privacy and collection rules are on your side; contacting your contacts to shame you is not a legitimate collection method.
Act quickly, document everything, and escalate to NPC, SEC, and (if applicable) BSP or law enforcement.
Encourage your contacts to file their own complaints—their rights were violated too.

If you’d like, I can tailor the templates to your exact facts (names redacted), or help you structure your NPC/SEC complaint packet.