If relentless calls, messages, or public posts from an online lending app have reached your family, friends, coworkers, or social media circles—revealing your financial situation or pressuring them to intervene on your behalf—you have clear rights under Philippine law. Many borrowers face exactly this kind of aggressive collection that goes beyond normal reminders and crosses into misuse of personal data. The National Privacy Commission (NPC) handles complaints involving violations of the Data Privacy Act of 2012, particularly when lending apps harvest contacts without proper consent, disclose debts to third parties, or use your information for harassment and shaming. This article provides a practical, step-by-step guide to filing a formal complaint with the NPC so you can stop the violations and hold the operators accountable.

Understanding Harassment by Online Lending Apps and Data Privacy Violations

Online lending apps (OLAs), including many unregistered ones, often collect extensive personal data during loan applications or account setup. Common problematic practices include requiring broad app permissions to access your entire phone contact list, camera, location, or storage; using that data to contact people you never authorized as guarantors or references; and disclosing your loan details, outstanding balance, or personal photos to family members, employers, or public social media groups to shame or pressure you into paying.

These actions frequently violate data privacy rules because they involve unauthorized processing or unauthorized disclosure of personal data. The apps act as Personal Information Controllers (PICs)—entities that decide how your data is collected, used, and shared. When they process data beyond what is necessary for legitimate loan evaluation or collection from properly designated guarantors, or when they fail to provide clear notices and obtain valid consent, they breach the law.

You, as the data subject (the individual whose personal data is involved), have the right to expect that your information is handled only for stated, lawful purposes and with appropriate safeguards.

Legal Basis for Filing a Complaint with the NPC

The primary law is Republic Act No. 10173, the Data Privacy Act of 2012. It establishes your rights as a data subject, including the right to be informed about how your data will be processed, the right to object to processing, the right to access and correct your data, and in certain cases the right to erasure or blocking. It also prohibits unlawful processing and unauthorized disclosure of personal data, with both administrative and criminal consequences for violations.

Specific rules for lending activities come from NPC Circular No. 20-01 (Guidelines on the Processing of Personal Data for Loan-Related Transactions), as amended by NPC Circular No. 2022-02. Key provisions include:

• Lending entities may only collect and process personal data that is adequate, relevant, suitable, necessary, and not excessive for Know-Your-Customer (KYC) requirements, creditworthiness assessment, fraud prevention, and legitimate loan-related purposes.
• They must provide clear, just-in-time notices before obtaining consent and avoid deceptive design patterns that make it hard to refuse unnecessary permissions.
• Access to contact lists or other device data is restricted; it cannot be used for blanket collection or debt collection from anyone except properly designated and consenting guarantors.
• Public shaming, disclosure of debt details to third parties, or coercive use of personal data is prohibited.

A March 2026 joint public advisory from the Department of Information and Communications Technology (DICT), NPC, and Securities and Exchange Commission (SEC) reinforces these rules and warns against harassment, intimidation, and unlawful personal data use in collection practices. You can read the advisory here.

The 2021 Rules of Procedure of the NPC govern how complaints are filed, investigated, and resolved. These rules require exhaustion of remedies (notifying the respondent first) and set standards for evidence and verification.

NPC has a track record of acting on these complaints. In past waves of similar cases, the Commission conducted investigations, issued cease-and-desist orders against multiple apps, imposed compliance requirements, and referred some operators for criminal prosecution under the Data Privacy Act.

Step-by-Step Guide to Filing a Complaint with the National Privacy Commission

Follow these steps carefully. Well-prepared complaints with clear evidence and proof of prior notice move forward more effectively.

1. Document everything thoroughly and organize your evidence.
   Take clear, dated screenshots of all harassing messages, call logs (showing numbers and frequency), social media posts that shame or disclose your information, and any in-app communications. Record the exact dates, times, and content. Capture screenshots of the app’s permission requests (especially contacts access) and any privacy notices or consent screens you saw—or did not see—during signup or loan application. If family or friends received calls or messages, ask them for their own screenshots or statements. Organize everything in labeled folders (e.g., “Annex A – Call logs and messages from [App Name] on [dates]”). Strong, specific evidence is the foundation of a successful complaint.

2. Exhaust remedies by notifying the lending app or company in writing first.
   Under the NPC Rules of Procedure, you generally must inform the Personal Information Controller (the app operator or lending entity) in writing about the specific privacy violation and give them an opportunity to act. Send a formal notice via email (use any support or legal email listed in the app or on their site), registered mail, or courier if possible. In the letter, clearly state the facts, identify the exact practices that violate the Data Privacy Act and NPC Circular 20-01 (for example, unauthorized access to contacts and disclosure to third parties for debt collection), and demand specific actions such as immediately ceasing all contact with your network, deleting or blocking your personal data from further processing, and confirming compliance in writing within 15 calendar days. Keep copies of the letter, proof of sending (email delivery receipts, courier tracking, or registered mail receipt), and any response (or lack of response after 15 days). Attach this proof to your NPC complaint. Many complaints are dismissed or delayed if this step is skipped.

3. Download and complete the official Complaint-Affidavit Form.
   Go to the National Privacy Commission page for filing a complaint and download the latest Complaint-Affidavit form (the current version is typically labeled with a recent date such as 2026). Fill it out completely and accurately. Use a caption such as “In re: Complaint for Violation of the Data Privacy Act of 2012 (Unauthorized Processing and Disclosure of Personal Data by [App Name / Operator]).” Clearly identify yourself as complainant with your full name and contact details. Identify the respondent as precisely as possible (the registered company name if known, or “the operator/owner of the [App Name] mobile application”). State the facts in numbered paragraphs, specify the provisions violated (reference relevant sections of RA 10173 and NPC Circular 20-01), describe the harm you suffered (emotional distress, reputational damage, interference with work or family relationships), and list the reliefs you seek (cease-and-desist order, order to delete or cease processing your data, investigation and sanctions, referral for criminal prosecution where appropriate, and any other just relief). Be factual and concise. One form is generally used per respondent.

4. Gather supporting documents and prepare annexes.
   Attach clear copies of: your valid government-issued ID (passport, driver’s license, UMID, or PhilID for foreigners with valid identification); all evidence organized and labeled as annexes; proof of your written notice to the respondent and any delivery receipts or responses; and notarized affidavits from witnesses (family members or friends who received harassing calls or messages) if available. If you are filing as a representative, include a Special Power of Attorney.

5. Have the completed Complaint-Affidavit notarized.
   Print the filled form and have it sworn to and signed before a notary public in the Philippines. If you are abroad, have it notarized before a Philippine consul or authorized officer at a Philippine Embassy or Consulate. Scanned copies of properly notarized documents are widely accepted for email or portal submission.

6. Submit your complaint.
   The main methods are: in person at the NPC office (confirm the current address and hours on the official website), by courier service, or by scanning the complete notarized documents (form + ID + annexes) and emailing them to complaints@privacy.gov.ph. Electronic documents should be in PDF format where possible and follow efficient paper-use guidelines. Check the official NPC website for any active eComplaint portal option that may provide an instant docket number upon upload. Upon submission, request or note your docket number for follow-up. Provide copies to the named respondent if the submission method requires it.

7. Cooperate with the NPC investigation and follow up as needed.
   After docketing, the NPC will review the complaint. They may request additional information or evidence from you. The respondent will typically be given an opportunity to answer. The Commission may explore mediation or proceed to formal investigation and hearing. Provide timely responses to any requests. You can follow up on status by emailing complaints@privacy.gov.ph with your docket number.

Common Challenges, Pitfalls, and Practical Scenarios

Many complaints stall because the initial written notice to the app was skipped or lacked specificity. Others lack concrete evidence linking the harassment directly to the app’s data processing (for example, screenshots showing the app contacted people from your phonebook). Vague or overly emotional language without clear facts and legal references can weaken a filing. Identifying the exact legal entity behind an unregistered app can be difficult—NPC investigators can help, but provide whatever details you have (app name, package name, screenshots of company information in the app store or terms).

Realistic scenario example: A borrower took a small loan through an app that required contact-list access during signup. When repayment was delayed, the app sent messages and made calls to over a dozen family members and a workplace colleague, disclosing the exact outstanding amount and threatening reputational harm. The borrower sent a detailed written demand to the app’s listed support email, received no meaningful response after 15 days, then filed with screenshots of the messages, call logs, family affidavits, and proof of the permission request. NPC docketed the case, conducted further investigation, and ultimately issued orders against the operator.

For Filipinos abroad or foreign nationals: You can file the same way. Many successful complainants are OFWs. Use email submission of scanned, properly notarized documents. For authentication, Philippine consular notarization is reliable; apostille may be needed only if additional formal court use arises later. The Data Privacy Act applies when personal data of Philippine data subjects is processed or when entities target individuals in the Philippines.

Other practical tips: Keep all communications factual. Do not engage further with the app after sending your notice if it continues the prohibited conduct—document it instead. Consider changing your phone settings or number if harassment persists, while preserving evidence first.

What to Expect After Filing and Possible Outcomes

The NPC will evaluate completeness and may dismiss deficient complaints or require supplementation. If it proceeds, expect an investigation phase that can include requests for documents from the respondent and possible hearings. Timelines vary significantly depending on case complexity, evidence volume, and current caseload—initial review and docketing often occur within weeks, while full resolution (including any decision or order) can take several months to more than a year.

Possible outcomes include dismissal (if no violation or insufficient basis), mediated settlement, or a formal decision with administrative sanctions. These can include cease-and-desist orders stopping the specific data processing or collection practices, orders to delete or block personal data, compliance directives, administrative fines, and referral to the Department of Justice or prosecutors for criminal aspects under the Data Privacy Act. NPC orders focus on stopping the privacy violation and accountability; they do not directly collect debts or award personal damages (separate civil action in court may be needed for monetary claims).

Frequently Asked Questions

Can I file with the NPC even if the online lending app is unregistered with the SEC?
Yes. NPC jurisdiction over data privacy violations applies regardless of SEC registration or licensing status. Unregistered apps have faced enforcement actions in the past.

How much does it cost to file a complaint?
Individual data subjects generally pay no filing fee. There may be minor costs for printing, notarization, or courier services.

Do I need a lawyer?
No. You can prepare and file using the official form and this guidance. For complex cases involving large-scale harm or multiple respondents, consulting a lawyer familiar with data privacy or consumer protection can help strengthen the complaint and represent you at hearings.

What evidence works best for these complaints?
Dated screenshots of harassing messages and call logs, proof that contacts were accessed without proper justification, witness affidavits from people who received calls or messages, screenshots of excessive permission requests during app use, and your written notice plus proof of delivery or non-response.

Can the NPC immediately stop the harassment?
If the complaint shows clear ongoing harm, the NPC can issue cease-and-desist or compliance orders after due process. In appropriate cases, temporary measures may be available.

I live abroad. Can I still file and will my documents be accepted?
Yes. Email submission of scanned, notarized documents (preferably consular-notarized) is commonly used and accepted. Check the official website for any portal updates.

Will filing affect my credit score or loan balance?
Filing a privacy complaint addresses the manner of collection and data use, not the underlying debt. It should not directly impact credit reporting. Handle any legitimate loan obligations through proper channels separately.

How long does the whole process usually take?
It varies. Some cases see initial action within one to three months; full investigation and decision often take six to eighteen months or longer depending on complexity and volume of cases.

Can I file one complaint covering multiple different lending apps?
It is usually better to file separate complaints or clearly separate sections per respondent because each involves distinct facts, evidence, and operators. The form is typically used one per respondent.

What if the calls include threats of violence or other crimes?
Report immediately to the Philippine National Police (local station or Anti-Cybercrime Group) or National Bureau of Investigation Cybercrime Division in addition to filing with the NPC. You can pursue both administrative (NPC) and criminal tracks at the same time.

Can I claim money damages through the NPC complaint?
The NPC primarily issues regulatory orders and sanctions. For personal damages, you may need to file a separate civil case in court under relevant provisions of the Civil Code (such as Articles 19, 20, and 21 on abuse of rights) or other applicable laws.

Key Takeaways

• Harassment involving misuse of your personal data or unauthorized contact with your network by online lending apps violates the Data Privacy Act of 2012 and NPC Circular No. 20-01 on loan-related data processing.
• You must first send a clear written notice to the app or operator detailing the violations and demanding specific corrective actions, then wait for a response or the 15-day period before filing with the NPC.
• Strong, organized evidence—especially dated screenshots, call records, witness statements, and proof of your prior notice—is essential for the complaint to proceed effectively.
• Download the latest Complaint-Affidavit form from the official NPC website, fill it factually with specific legal references, have it notarized, and submit via email to complaints@privacy.gov.ph, courier, or in person.
• The process is accessible to individuals without a lawyer and workable from abroad through scanned electronic submission.
• NPC can issue powerful orders to stop the violations, require data deletion or blocking, impose sanctions on operators, and refer matters for criminal action.
• Consider parallel reports to the SEC for unfair collection practices and to law enforcement if threats or other crimes are involved.
• Stay organized, factual, and persistent. Many borrowers in similar situations have successfully used this process to regain control and obtain accountability.

Check the official National Privacy Commission website (privacy.gov.ph) regularly for the most current forms, contact details, and any updates to procedures before submitting.