How to File a Harassment Complaint Against an Online Lending App with the National Privacy Commission in the Philippines

If you’ve been bombarded with calls and messages from an online lending app, or discovered that your family, friends, employer, or colleagues have received shaming messages or calls about your loan, you have clear rights under Philippine law. These tactics frequently involve the unauthorized collection, use, or disclosure of your personal data and that of people in your contact list. The National Privacy Commission (NPC) handles complaints exactly like this under the Data Privacy Act of 2012. Many victims in similar situations have obtained orders for the apps to stop the harassment, delete the improperly processed data, and pay compensation for the distress caused.

This article gives you a complete, practical guide based on current NPC procedures, the Data Privacy Act, and real patterns seen in lending app cases. You will learn what counts as a violation, how to prepare strong evidence, the exact steps to file, what to expect, and how to handle common challenges—including if you are an overseas Filipino or foreign national.

What Counts as a Privacy Violation by an Online Lending App

Online lending apps (OLAs) collect personal data when you apply for or use a loan. Problems arise when they go beyond what is necessary and lawful.

Common violations include:

  • Accessing or “harvesting” your phone contact list, social media contacts, or other personal information without a valid legal basis or proper consent, then using that data to contact third parties.
  • Sending messages or making calls to your family, friends, or employer that disclose your loan details or label you negatively (e.g., “scammer,” “deadbeat”).
  • Continuing to process or retain your data (and that of your contacts) even after you have settled the loan or asked them to stop.
  • Using aggressive collection tactics that lack transparency or proportionality, such as repeated calls outside reasonable hours or public shaming.

These actions often violate core data privacy principles: lawful processing, purpose limitation, proportionality, and security. They also breach specific rules for lending transactions.

Legal Basis Under Philippine Law

The primary law is Republic Act No. 10173, the Data Privacy Act of 2012 (DPA). It protects your personal information and gives you enforceable rights as a data subject. The NPC is the independent agency that receives complaints, investigates violations, issues orders, awards damages, and can refer cases for criminal prosecution.

Key supporting rules include:

  • The DPA’s Implementing Rules and Regulations.
  • NPC Circular No. 20-01 (Guidelines on the Processing of Personal Data for Loan-Related Transactions), as amended by NPC Circular No. 2022-02. This circular explicitly prohibits online lending apps from harvesting phone or social media contact lists for debt collection or harassment. It requires separate interfaces for borrowers to voluntarily provide character references or guarantors. Lenders may only contact the borrower or properly designated guarantors/co-makers. Using data to harass or embarrass is prohibited.
  • Joint advisories from DICT, NPC, and SEC reinforcing these limits and prohibiting unfair collection practices.
  • The 2021 Rules of Procedure of the NPC, which govern how complaints are filed, investigated, and decided.

The Supreme Court has upheld NPC decisions in lending app cases, including orders for damages and recommendations for criminal prosecution under the DPA. Past NPC actions have resulted in temporary bans on data processing for certain apps and requirements to delete improperly obtained data.

You may also have remedies under the Revised Penal Code (e.g., unjust vexation or grave threats) or the Cybercrime Prevention Act if threats or online shaming are involved. Many people file with the NPC for the privacy angle while also reporting serious threats to the PNP Anti-Cybercrime Group.

Before You File: Prepare Thoroughly and Exhaust Remedies

Strong preparation makes a big difference.

Gather clear, organized evidence (label everything as Annex A, B, etc.):

  • Screenshots or screen recordings of harassing messages, calls, or posts, with visible dates, times, sender details, and content.
  • Phone call logs or records showing patterns and numbers linked to the app or its collectors.
  • Messages or statements from affected family members, friends, or colleagues confirming they received contacts or shaming communications.
  • Proof of your interaction with the app (loan agreement, app screenshots, payment records).
  • Any prior messages or emails you sent to the app requesting them to stop.
  • Evidence of impact (e.g., notes on lost work time, anxiety affecting sleep or health, strained relationships—support with your own sworn statement or medical notes if available).

Send a written demand letter first (exhaustion of remedies).
Before filing a formal NPC complaint, you must inform the company in writing about the violation and give them a reasonable opportunity to address it. Send via email (take screenshots of sending and any read receipts) or registered mail/courier to their official address.

In the letter:

  • Clearly identify yourself and the app/loan.
  • Describe the specific harassing acts and how your personal data (and others’) was misused.
  • Demand that they immediately stop all contact with you and third parties, permanently delete the relevant data (including from any third-party collectors), and confirm in writing within a set period (e.g., 5–7 business days).
  • State that failure to comply will lead to a complaint with the NPC and other agencies.
  • Keep copies and proof of sending.

If they do not respond adequately or the harassment continues, you can proceed to file with the NPC. Attach proof of this step to your complaint.

Identify the correct respondent. Research the exact company name behind the app (check the app’s privacy policy, terms of service, Google Play/Apple App Store listing, or SEC records). File against the legal entity, not just the app name.

Step-by-Step: How to File a Complaint with the National Privacy Commission

  1. Download the official form. Go to the National Privacy Commission filing page and download the latest Complaint-Affidavit form (currently the version with Q&A guidance, such as the 2026 update). The form helps you structure your story and identify relevant DPA violations.

  2. Complete the form carefully. Fill every section accurately and factually. Use the built-in Q&A portions to describe:

    • Who you are and your relationship to the data.
    • The respondent (company/app details).
    • A clear, chronological account of what happened.
    • How your personal data and that of others was processed without proper basis.
    • The specific violations (reference the DPA sections on unlawful processing/disclosure and NPC Circular No. 20-01).
    • The harm you suffered.
    • The relief you seek (e.g., investigation, cease-and-desist order, deletion of data, payment of damages for distress, referral for criminal action if warranted).

  3. Attach your evidence and supporting documents. Include the demand letter and proof of sending, all labeled annexes, a photocopy of your valid government ID, and any witness affidavits. Organize neatly so the investigating officer can follow easily.

  4. Have the form notarized. Print the completed form and bring it, together with your ID, to any licensed notary public. Notarization turns it into a sworn statement. Notaries are widely available; typical cost is modest.

  5. Submit the notarized complaint. Current options (always confirm on the official site first, as digital options continue to evolve):

    • Email (often most convenient): Scan everything into clear, high-quality PDFs and send to complaints@privacy.gov.ph. Follow any file size or format instructions. Ensure the files are malware-free.
    • Courier: Send via a reputable service (e.g., LBC, 2Go) to the NPC office.
    • In person: Visit the NPC office at the 25th–27th Floors, The Upper Class Tower, Quezon Avenue corner Scout Reyes Street, Quezon City (call first to confirm current requirements and any security procedures).

Contact details for questions or follow-up:
Trunkline: (+63) 2 5322 1322 (Complaints: Local 114 or 115)
Mobile (complaints): +63 970 818 0555 (Smart) or +63 905 506 1478 (Globe)
Email: complaints@privacy.gov.ph
Office hours: Monday to Friday, 8:00 AM to 5:00 PM.

After submission, keep your own complete copy and note any reference or docket number you receive. This number is essential for follow-ups.

What to Expect After Filing

An NPC investigating officer reviews your complaint to check if it sufficiently alleges a violation of the Data Privacy Act or related rules and whether it can proceed. If it does, the case is docketed, the respondent is notified and given time to answer (typically 15 days or as directed), and an investigation follows. This may involve requests for more information, possible virtual hearings (e-hearings are available), or attempts at resolution.

The NPC can issue orders requiring the company to stop the unlawful processing, delete data, and pay you damages. In serious cases, it may refer the matter to the Department of Justice for criminal prosecution under the DPA (which carries penalties of imprisonment and fines).

Timelines vary depending on case complexity, evidence volume, and NPC workload. Initial review can take several weeks to a few months. Full resolution, including any hearing and decision, often takes several months to over a year. Stay patient but proactive—follow up politely via email or hotline using your reference number. You may be asked for clarifications or additional evidence.

In urgent situations involving ongoing severe harassment, highlight the urgency in your complaint and supporting documents. The NPC has mechanisms for interim or temporary measures in appropriate cases.

Common Pitfalls and Practical Tips

Many complaints are dismissed or delayed because of simple, avoidable issues:

  • Skipping or poorly documenting the initial demand letter to the company.
  • Submitting vague, disorganized, or purely emotional descriptions instead of clear facts tied to specific DPA violations.
  • Failing to label evidence or provide enough context for the investigating officer.
  • Naming only the app instead of the actual company.
  • Submitting unnotarized or incomplete documents.

Tips for success:

  • Be factual, specific, and chronological.
  • Focus on the data processing violations (how the data was obtained and used), not just that the collection calls were annoying.
  • Keep all communications with the NPC professional and documented.
  • If the harassment continues after filing, immediately update the NPC with new evidence and reference your docket number.
  • Consider parallel reports: to the SEC for possible unlicensed lending or unfair collection practices, and to the PNP Anti-Cybercrime Group if there are threats or cyber elements. This strengthens overall accountability.

Special Considerations for Overseas Filipinos and Foreign Nationals

You can file even if you are currently abroad or a foreign national, provided the processing relates to a Philippine lending app or the effects are felt in the Philippine context. NPC jurisdiction generally covers processing that occurs in the Philippines or by entities subject to Philippine data privacy rules.

For submission from abroad:

  • Have the Complaint Affidavit notarized at a Philippine Embassy or Consulate, or by a local notary followed by apostille (Philippines is part of the Apostille Convention).
  • Or execute a Special Power of Attorney (also properly notarized and apostilled) authorizing a trusted person in the Philippines (family member or lawyer) to file and represent you.
  • Email submission of clear scanned PDFs works well for many overseas complainants.

Enforcement can be more challenging against purely foreign-owned apps without Philippine assets or presence, but the NPC can still issue orders, publicize violations, and coordinate with other regulators. Document everything thoroughly.

Frequently Asked Questions

Can I file if I already paid or settled the loan?
Yes. The privacy violation—unauthorized or excessive processing and disclosure of your data and your contacts’ data—is separate from the debt. Many successful NPC complaints involve settled loans where harassment or data retention continued.

What relief can I realistically get from the NPC?
The NPC can order the company to immediately stop the unlawful processing and contacting of third parties, delete or securely dispose of the relevant personal data, and pay you damages for harm such as emotional distress or reputational damage. In serious cases it may recommend criminal prosecution. Past decisions against lending apps have included these outcomes.

Do I need a lawyer?
No. The process and official form are designed for ordinary individuals. Many people successfully file on their own. For complex cases, large claimed damages, or if you want representation during hearings, a lawyer familiar with data privacy or consumer cases can help.

How long do I have to file?
File as soon as possible while evidence is fresh. There is no extremely short deadline (unlike some 30-day rules), but claims are subject to prescriptive periods under applicable laws (generally several years). Acting quickly also helps stop ongoing harm.

Will the NPC keep my complaint confidential?
The respondent will be notified and given an opportunity to respond, so they will learn of the complaint. NPC proceedings have confidentiality protections, but due process requires the other side to know the allegations against them.

What if the app or company ignores the NPC?
The NPC has enforcement powers, including fines and orders. Non-compliance can lead to further sanctions. Publicity of violations and coordination with other agencies (SEC, PNP) also creates pressure. Document any continued violations and report them immediately to the NPC using your reference number.

Can I file on behalf of family members who were also contacted?
You can include their experiences if you have evidence and they authorize you (or they can file separately or jointly). For formal representation, a Special Power of Attorney is usually required.

Should I also go to the police?
Yes, especially if there are threats, grave coercion, or public shaming that may amount to other offenses. File a blotter or complaint with the PNP Anti-Cybercrime Group or your local station for the criminal aspects while pursuing the privacy complaint with the NPC. The two processes complement each other.

How much does it cost?
Filing the complaint itself is generally accessible with minimal or no major fees for individual complainants. Refer to the latest Schedule of Fees and Charges (NPC Circular No. 2023-01 or any update) on the NPC website for any applicable charges (e.g., for certified copies later). Notarization costs are modest and separate.

Key Takeaways

  • Harassment by online lending apps that misuses your personal data or that of your contacts is a clear violation of the Data Privacy Act of 2012 and NPC Circular No. 20-01.
  • You have the right to file a formal complaint with the NPC using their official notarized Complaint-Affidavit form.
  • Strong preparation—organized evidence, a prior written demand to the company, and a clear factual narration tied to specific legal violations—greatly improves your chances of success.
  • Submission is straightforward via email to complaints@privacy.gov.ph, courier, or in person at the NPC office in Quezon City; always verify current details on privacy.gov.ph.
  • The NPC can order the app to stop the harassment, delete improperly processed data, and pay you damages. Many similar cases have resulted in meaningful relief.
  • Consider complementary reports to the SEC and PNP-ACG for the fullest protection, especially in serious or ongoing cases.
  • Overseas Filipinos and foreign nationals can file, with proper notarization or apostille and/or a representative via Special Power of Attorney.
  • Act promptly, document everything, and use official channels. The process exists to protect ordinary people from exactly these kinds of abusive data practices.

You have options and legal protection. Many others in your situation have used the NPC process to stop the harassment and regain peace of mind. Start with gathering your evidence and sending the demand letter today.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login