If you’ve been harassed by an online lending app through calls and messages to your family, friends, or coworkers, public shaming using your personal information, or other aggressive tactics that feel like an invasion of your privacy, you have a clear path to seek accountability. Many Filipinos—both in the Philippines and abroad—have experienced exactly this after borrowing small amounts or even just applying through these apps. The National Privacy Commission (NPC) handles complaints involving the misuse of personal data under the Data Privacy Act of 2012. This article explains your rights, when the NPC is the right agency, and provides a practical, step-by-step guide to filing a formal complaint based on current NPC procedures and real-world outcomes from similar cases.

Online lending apps (OLAs) often require broad permissions during installation or loan application—access to your contacts, photos, camera, or social media accounts. When borrowers fall behind or even when loans are denied, some apps or their collectors use this data to pressure repayment by contacting people in your phonebook, sending messages that damage your reputation, or posting personal details publicly. These actions frequently violate core data privacy principles: processing must be transparent, for a legitimate purpose, and proportionate to what is needed. Harvesting and weaponizing contact lists for debt shaming goes far beyond any reasonable lending activity.

The NPC has repeatedly acted against such practices. It has investigated hundreds of complaints against OLAs, issued takedown orders on specific apps, recommended criminal prosecution in serious cases, and seen its decisions upheld by the Supreme Court. Your situation is not just a collections problem—it is often a data privacy violation that the NPC is specifically empowered to address.

Your Rights and the Legal Basis Under Philippine Law

The Data Privacy Act of 2012 (Republic Act No. 10173) is the primary law protecting your personal information in both government and private sector processing. It establishes that personal data (any information relating to an identified or identifiable individual) must be processed only when there is a lawful basis, such as consent, contract, or legal obligation, and always in line with the principles of transparency, legitimate purpose, and proportionality.

Key violations relevant to OLA harassment include:

• Unauthorized processing (Section 25) — Accessing or using your contacts or other data without proper basis or beyond what was disclosed.
• Unauthorized disclosure (Section 32) — Sharing your personal information (including debt status) with third parties like family or friends without your consent or other lawful basis.
• Malicious disclosure (Section 31) — Disclosing information with intent to cause harm or damage to reputation.

The Implementing Rules and Regulations of the DPA and NPC Circular No. 20-01 (Series of 2020) specifically address lending and financing companies. This circular prohibits the harvesting of phone or social media contact lists and the use of such data to harass or shame borrowers. It emphasizes data minimization—collecting and keeping only what is truly necessary for the lending transaction—and requires secure disposal of unnecessary data.

The 2021 Rules of Procedure of the NPC (still the governing framework, with updated forms) set out how complaints are filed, evaluated, and resolved. The NPC can investigate, issue cease-and-desist or compliance orders, impose administrative fines, direct the deletion or rectification of data, and refer cases for criminal prosecution. In documented cases involving OLAs, the Commission has ordered app takedowns and recommended prosecution for privacy violations tied to harassment and public shaming.

You also retain separate rights under the Civil Code to seek damages for privacy violations or emotional distress, and certain acts may constitute crimes under the Revised Penal Code (e.g., grave threats or unjust vexation) or the Cybercrime Prevention Act. However, for the privacy angle involving personal data misuse, the NPC is the specialized and most direct agency.

When the NPC Is the Appropriate Agency

File with the NPC when the harassment involves misuse of your personal data—contacting people in your phone without consent, using your photo or details to shame you, accessing device data excessively, or disclosing your information to third parties.

If the issue is purely unfair or abusive debt collection practices without a clear data privacy element (for example, repeated calls from a registered collector using only information you provided), the Securities and Exchange Commission (SEC) may also have jurisdiction over lending companies. Serious threats or criminal acts should be reported to the Philippine National Police (PNP) or National Bureau of Investigation (NBI). Many people file parallel complaints with the NPC and SEC for maximum protection. The NPC process focuses on stopping the privacy violation and holding the company accountable for data handling.

Step-by-Step Guide to Filing a Complaint with the NPC

Follow these steps carefully. Complaints that skip required elements, such as exhaustion of remedies or sufficient evidence, are often dismissed outright.

1. Document everything thoroughly and organize your evidence.
   Take clear screenshots of harassing messages, call logs, or posts, including visible timestamps, phone numbers, sender details, and content. Ask affected contacts (family or friends who received messages) for their own screenshots or short affidavits confirming what they received and when. Capture app permission screens showing access to contacts, photos, or location. Save the loan agreement, privacy policy, and any terms you accepted. Note dates, times, and sequences of events. Strong, timestamped, and organized evidence is the foundation of a successful complaint.

2. Exhaust remedies by notifying the lending app or company in writing first.
   Under the NPC Rules, you must generally give the respondent (the app operator or lending company) written notice of the privacy violation and a reasonable opportunity to address it—specifically, they have 15 calendar days from receipt to respond or take appropriate action.
   Send a formal demand letter or email to the company’s Data Protection Officer (DPO) if listed in the app or privacy policy, or to their general contact/support email and any known physical address. Clearly state the facts, demand that they immediately cease contacting third parties, stop all unauthorized processing, delete or return your data where appropriate, and confirm compliance in writing.
   Use registered mail or email with read/delivery receipts and keep copies. If they ignore you, respond inadequately, or continue the behavior, attach proof of this notice and the lack of proper response to your complaint. This step is mandatory in most cases and shows good faith.

3. Download and complete the latest NPC Complaint-Affidavit template.
   Go to the official National Privacy Commission filing a complaint page and download the current Complaint-Affidavit form (as of early 2026, version NPC_LEO_CID_CAF-V2.0 dated 01 March 2026 or later). The form includes guided sections and an attached Question-and-Answer portion that helps you describe specific violations under Sections 25, 31, 32, and related provisions of the DPA.
   Fill it legibly and completely. Provide your full personal details, identify the respondent as precisely as possible (company name if known, or “the operator/developer of [App Name]”), list the personal information involved, check the applicable violation boxes, and write a clear, chronological narration of facts in Section VI. Use the Q&A guidance to strengthen each alleged violation. Specify the reliefs you seek (damages, administrative fines, orders to stop processing or delete data, compliance with data subject rights, or others).

4. Attach all required supporting documents and have the complaint notarized.
   Attach organized copies of your evidence (label them as Annexes), proof of your written demand to the respondent and any response (or lack thereof), and copies of your valid government-issued ID. The form requires a Verification and Certification Against Forum Shopping—swear that the allegations are true based on personal knowledge or authentic records and that no similar case is pending elsewhere (or disclose it if there is).
   Bring the completed form and your ID to any notary public for notarization. This is a standard sworn statement requirement.

5. Submit your complaint to the NPC.
   Current options include emailing scanned copies (clear PDFs) to complaints@privacy.gov.ph, sending via courier, or filing in person. Check the official NPC website for any active online eComplaint portal or upload system, as digital options continue to expand.
   The NPC’s current main office is at the 25th–27th Floors, The Upper Class Tower, Quezon Avenue corner Scout Reyes Street, Quezon City. Confirm the exact submission address and any updated instructions on privacy.gov.ph before sending, as details can be updated. Electronic submissions must follow the Efficient Use of Paper Rule and be malware-free.
   Keep your own complete copy of everything submitted, including proof of sending (email confirmation, courier receipt, etc.).

6. Cooperate with the investigation and follow up as needed.
   Once docketed, an investigating officer reviews the complaint for sufficiency in form and substance. If it proceeds, the respondent will typically be notified and given a chance to answer. The NPC may request additional information from you, schedule a hearing (often via video conferencing), or explore settlement. Stay responsive to NPC communications and promptly submit any supplemental evidence of continuing violations.

What to Expect: Timelines, Process, and Possible Outcomes

Initial evaluation for docketing and sufficiency usually happens within days to a couple of weeks, though this varies with volume. Full investigations can take several months depending on the complexity, the respondent’s cooperation, and any hearings required. The NPC prioritizes cases involving clear harm or patterns affecting many people.

Possible outcomes include:

• Orders directing the company to cease the unauthorized processing or disclosure, delete or rectify your data, and implement proper safeguards.
• Administrative fines and penalties on the company.
• Referral to the Department of Justice for criminal prosecution under the DPA (certain violations carry imprisonment and fines).
• In appropriate cases, directives or findings that support claims for damages.

Previous NPC actions against OLAs have resulted in app takedowns and successful recommendations for prosecution. The Supreme Court has upheld NPC decisions ordering accountability and damages in privacy violation cases involving lending apps. Note that while the NPC focuses on privacy compliance and penalties, separate civil action in regular courts may be needed for substantial monetary damages.

Common Challenges and Practical Realities

Many complaints are dismissed because the complainant skipped the 15-day exhaustion step or submitted vague facts without enough evidence. Be specific: instead of “they harassed me,” state exact dates, what was said or sent, to whom, and how it violated the DPA principles or specific sections.

Identifying the exact company behind an app can be difficult—some are foreign-operated or use multiple names. Provide whatever identifying information you have (app store details, developer name, emails used, SEC registration if found). The NPC can often trace the entity during investigation.

Apps may continue operations or change tactics after a complaint. Document any new incidents and submit them as supplemental evidence. If threats escalate to criminal levels, report immediately to the PNP.

For complainants abroad (including many OFWs), the process is the same, but documents executed outside the Philippines may require apostille under the Apostille Convention or notarization at a Philippine consulate/embassy for proper authentication. The DPA has extraterritorial reach when processing involves Philippine citizens or residents.

Some respondents ignore NPC orders or delay. Persistent follow-up and providing strong evidence help. The NPC has shown it will act against non-compliant OLAs, especially when there is a pattern of complaints.

Frequently Asked Questions

Do I need a lawyer to file a complaint with the NPC?
No. Individuals can file on their own using the official template. The form and its Q&A guidance are designed to help laypersons. However, if your case is complex, involves large amounts, or you want assistance drafting or following up, consulting a lawyer familiar with data privacy or consumer cases is advisable.

How long does the entire NPC process usually take?
Initial review and docketing often occur within days or weeks. A full investigation, including any hearings and decision, commonly takes several months. Some cases move faster when evidence is strong and violations are clear; others take longer if the respondent contests or additional information is needed.

Can the NPC force the lending app to forgive my loan or stop all collection efforts?
The NPC’s primary role is enforcing data privacy. It can order the company to stop unauthorized use or disclosure of your personal data and to delete improperly obtained information. It does not directly regulate the underlying debt or standard collection (those aspects may fall under SEC rules or court processes). However, stopping the privacy-violating harassment often removes the most damaging tactics.

What is the strongest evidence in these harassment cases?
Timestamped screenshots or recordings of messages and calls received by you or your contacts, affidavits from the people who were contacted, proof that the app requested and accessed contacts or other excessive permissions, and clear documentation that you demanded they stop and they failed to do so adequately. Organized, labeled annexes make a big difference.

Can I file anonymously or without revealing my identity to the respondent?
Complaints generally require your identity as the data subject. The NPC keeps complaints confidential during investigation to the extent possible, but the respondent usually receives notice and a copy of the allegations so they can respond. Full anonymity is difficult in a formal adjudicatory process.

Is there a filing fee?
There is generally no filing fee for data subjects filing personal complaints about violations affecting them. Check the current NPC Schedule of Fees on the website for any exceptions or updates.

What if the app or company has already shut down or I can’t find their details?
File with the best information you have (app name, any contact details, developer information). The NPC has investigated and acted against apps and operators even when identification was initially incomplete. Patterns of complaints from multiple people also strengthen cases.

Will filing with the NPC affect my credit standing or ongoing loan?
Filing a privacy complaint is your legal right and should not negatively affect your credit or loan status. However, continue to handle any legitimate debt obligations separately through proper channels. Document everything in case of retaliation.

Can I file with the NPC even if I already settled or paid the loan?
Yes. The privacy violation (unauthorized disclosure or processing of your data) can be addressed independently of whether the debt is settled. Many complaints arise precisely because shaming continued even after payment or involved data from denied applications.

Key Takeaways

• Harassment by online lending apps that involves misusing your personal data—especially contacting your network or public shaming—violates the Data Privacy Act of 2012 and falls squarely under the NPC’s jurisdiction.
• You must first send a written demand to the company and allow 15 calendar days for a proper response before filing a formal complaint (exhaustion of remedies).
• Use the latest official NPC Complaint-Affidavit template, complete it thoroughly with the help of the attached Q&A guidance, attach strong organized evidence, and have it notarized.
• Submit via the methods currently listed on privacy.gov.ph (email to complaints@privacy.gov.ph, courier, or in person at the NPC office in Quezon City). Confirm the latest details and any portal options on the official site.
• The NPC can investigate, issue compliance orders, impose penalties, direct data deletion, and refer cases for criminal prosecution—real outcomes have been achieved in numerous OLA cases.
• Strong documentation and following the required steps dramatically improve your chances of success. Insufficient evidence or skipping exhaustion are the most common reasons complaints are dismissed.
• You can pursue parallel remedies with the SEC for unfair collection practices or the PNP/NBI for criminal acts while your NPC complaint proceeds.
• Taking this step not only seeks redress for your situation but contributes to broader accountability— the NPC has used individual complaints to identify patterns and act against abusive operators.

Your privacy is protected by law. By preparing carefully and following the proper process, you give the NPC the information it needs to act. Start with thorough documentation and your written demand today, then move to the formal complaint if the violation continues. The official NPC resources and the steps above give you a clear, practical roadmap.