If you have been harassed by an online lending app through repeated calls and messages to your family, friends, colleagues, or even your employer, or through public shaming that uses your personal information or photo, you may have a strong basis to file a complaint with the National Privacy Commission. These practices often stem from the app’s unauthorized collection and use of your personal data, such as harvesting your phone contacts or other device information, which violates the Data Privacy Act of 2012. This article explains your rights, the specific legal rules that apply to online lending apps, and the exact practical steps to file a formal complaint with the NPC so you can seek orders to stop the misuse of your data and hold the company accountable.

Understanding Harassment by Online Lending Apps as a Data Privacy Violation

Online lending apps frequently request broad access to your mobile device during the loan application or collection process—contacts, photos, camera, location, SMS, and more. While they may frame this as necessary for “verification” or “collection,” many go far beyond what is allowed. They then use that data to contact people in your network about your debt, sometimes with threatening or embarrassing messages, or to publicly shame you.

This is not merely aggressive debt collection. When an app processes your personal data without a valid legal basis, uses it for purposes you did not freely and specifically consent to, discloses it to third parties without authorization, or violates the principles of transparency, legitimate purpose, and proportionality, it breaches Republic Act No. 10173, the Data Privacy Act of 2012. The National Privacy Commission is the specialized agency that enforces this law and has handled numerous complaints against online lending platforms involving exactly these tactics.

The NPC has issued orders directing apps to immediately stop processing borrowers’ personal data and has recommended criminal prosecution of company officers in serious cases. In documented instances, the Commission ordered the takedown of apps such as JuanHand, Pesopop, CashJeep, and Lemon Loan after finding unauthorized use of personal data that enabled harassment and shaming. The Supreme Court has upheld NPC decisions in similar cases, including orders for payment of damages and referral for criminal liability under the Data Privacy Act.

Legal Basis and Key Rules Governing Online Lending Apps

The primary law is Republic Act No. 10173 (Data Privacy Act of 2012). Key provisions include:

• Section 11 — General data privacy principles: transparency, legitimate purpose, and proportionality.
• Section 12 — Lawful criteria for processing personal information; consent must be freely given, specific, informed, and unambiguous. Processing cannot be made a condition for a service (such as loan approval) if it is not necessary.
• Section 16 — Rights of the data subject, including the right to be informed, to object to processing, to access and correct data, and to erasure or blocking.
• Sections 25, 28, 31, and 32 — Criminal liabilities for unauthorized processing, access, or disclosure of personal information, with penalties of imprisonment and fines.

Specific to lending, the NPC issued Circular No. 20-01 (Guidelines on the Processing of Personal Data for Loan-Related Transactions), later amended by NPC Circular No. 2022-02. This circular explicitly prohibits “contact harvesting”—using a borrower’s phone or social media contact lists to harass or collect from third parties. It limits contact to verified guarantors who have given separate, explicit consent. It also requires “just-in-time” notices before obtaining consent, prohibits excessive permissions (such as constant access to camera, gallery, or contacts after verification), and mandates that apps prompt users to revoke unnecessary permissions once the purpose is fulfilled. Processing must remain proportionate to the legitimate purpose of evaluating or collecting a loan.

A March 2026 public advisory jointly issued by the DICT, NPC, and SEC further confirms that harassment, intimidation, public shaming, and unlawful use of personal data in online lending collection practices violate existing rules. It reminds platforms of their obligations and encourages the public to report violations.

You are the data subject. The lending company or app operator is the personal information controller (PIC) responsible for complying with the law.

When the NPC Is the Right Agency

File with the NPC when the harassment is tied to the misuse of your personal data—for example, the app accessed your contacts without valid consent and used them to message or call third parties, or shared your information in ways that caused public shaming.

The NPC is not the primary forum for pure criminal threats or physical harassment without a data-processing angle; those may also warrant complaints to the PNP Anti-Cybercrime Group or local police under the Revised Penal Code or the Cybercrime Prevention Act (RA 10175). If the app is a registered lending or financing company, you can file a parallel complaint with the Securities and Exchange Commission regarding unfair collection practices. Many people file with the NPC for the privacy violation while pursuing other remedies for the broader harassment.

Step-by-Step Guide to Filing a Complaint with the National Privacy Commission

1. Document everything thoroughly.
   Take clear, dated screenshots of the app’s permission requests and what you granted, the loan agreement and privacy policy (often buried or misleading), every harassing message or call log (including those received by third parties), social media posts if any, and any proof of harm such as family conflict, lost opportunities, or emotional distress. Ask affected family members or friends for short sworn affidavits or written statements confirming they were contacted and how it affected them. Organize everything chronologically with labels (Annex A, Annex B, etc.).

2. Send a formal written notice to the lending company first (exhaustion of remedies).
   Under NPC rules, you must generally inform the personal information controller in writing of the violation and give them an opportunity to act before the Commission will entertain a formal complaint. Identify the correct legal entity (check the app’s privacy policy or “about” section, the Google Play or App Store developer name, and the SEC Express System or company registry for the registered corporate name and address). Send a clear letter or email stating the facts, the specific violations (reference the Data Privacy Act sections and NPC Circular 20-01 as amended), and what you demand—immediate cessation of contact with third parties, deletion or blocking of your data, and a written response within 15 calendar days. Use a method that creates proof of sending and receipt (registered email with read receipt, courier with tracking, or registered mail). Keep copies of everything. If they respond adequately and stop the conduct, you may not need to proceed. If they do not respond or the response is unsatisfactory, proceed to filing.

3. Prepare the formal complaint.
   Download the latest Complaint-Affidavit form from the official NPC website (privacy.gov.ph). Fill it out completely and accurately. Use the caption style “In re: Complaint for Violation of the Data Privacy Act of 2012.” Clearly identify yourself as complainant and the app/company (and responsible officers if known) as respondent. State the facts in numbered paragraphs, specify the exact provisions violated (including the loan-related circular), describe the harm you suffered, and state the relief you seek (cease-and-desist order, data deletion, investigation, damages if applicable, and referral for criminal prosecution). Attach all your evidence as annexes and include a copy of your valid government-issued ID. The complaint must be verified—sworn to before a notary public. If you are abroad, execute it before a Philippine consul or authorized notary and consider apostille requirements if the document needs formal authentication for use in the Philippines; many filers successfully use scanned PDFs for electronic submission.

4. File the complaint.
   The preferred and most efficient method is through the NPC’s eComplaint Portal (complaints.privacy.gov.ph) by uploading the notarized complaint in PDF format together with your ID and annexes; you should receive an immediate docket number. Alternatively, email the complete scanned documents to complaints@privacy.gov.ph (use this primarily if the portal is unavailable). You may also file in person or by courier at the NPC office (currently at the PICC Complex in Pasay City—confirm the exact address and any schedule of fees on the official site). Electronic documents should follow efficient paper-use rules. Provide copies to the respondent if required by the filing method.

5. Monitor the case and respond to requests.
   After docketing, an investigating officer will review the complaint. The NPC may request additional information or clarification. The respondent will typically be ordered to file an answer or comment. Proceedings may include remote video hearings (you can consent to e-hearings). You may apply separately for a temporary ban on processing if the harm is ongoing and urgent. Follow up politely through the portal or official email channels. Keep records of all communications.

Common Challenges and Practical Realities

Identifying the exact company behind an app can be difficult because some operate through multiple entities or foreign structures. Use all available public sources and attach whatever identifying information you have; the NPC can still investigate if the processing affects Philippine data subjects.

Notarization requires a notary public in the Philippines. Overseas Filipinos often coordinate with relatives or use consular services.

Evidence quality matters greatly—vague allegations or missing proof of the prior written notice frequently lead to outright dismissal. Strong, specific evidence linking the harassment directly to the app’s data processing (screenshots showing contact access + messages to your network) carries significant weight, as seen in past NPC decisions.

Investigations and decisions take time—often several months and sometimes longer for complex cases involving multiple parties or appeals. The NPC has dismissed complaints for insufficient evidence or failure to exhaust remedies, but well-prepared complaints with clear documentation have resulted in takedown orders, administrative sanctions, and referrals for criminal prosecution.

Foreigners and overseas Filipino workers have the same rights as Philippine data subjects when their personal data is processed in connection with Philippine lending activities. Electronic filing makes the process accessible from abroad.

What Happens After Filing

If the complaint is sufficient in form and substance and you have exhausted the prior notice requirement, the NPC gives it due course. The investigating officer evaluates evidence, may conduct further fact-finding, and issues a decision. Possible outcomes include orders directing the company to stop the unlawful processing, delete or block your data, pay administrative fines, or compensate you for damages in appropriate cases. In serious violations, the NPC forwards records to the Department of Justice recommending criminal prosecution under the Data Privacy Act. Decisions can be appealed to the courts. You may also pursue separate civil action for damages under the Civil Code if warranted.

Frequently Asked Questions

Can I file with the NPC if the app already deleted my account or I have fully paid the loan?
Yes. The violation occurred during the processing of your personal data. The NPC can still order deletion or blocking of any remaining data and impose sanctions for past unlawful processing.

Do I need a lawyer to file a complaint with the NPC?
No. Many individuals successfully file on their own using the official form and clear documentation. However, if your case is complex or involves significant damages, consulting a lawyer familiar with data privacy cases can help strengthen your complaint.

How long does the NPC usually take to resolve these complaints?
Timelines vary. Straightforward cases with strong evidence may move faster, while those requiring extensive investigation or respondent responses often take several months to more than a year. Consistent follow-up helps.

Can the NPC immediately stop the calls and messages to my contacts?
The NPC can issue orders to cease unlawful processing, including contact with third parties. For urgent ongoing harm, you may file a separate application for a temporary ban on processing while the main complaint proceeds.

What if I cannot identify the exact company name or address?
Provide all available information from the app, Google Play listing, privacy policy, and any messages you received. The NPC has tools to trace entities and has proceeded against operators in past lending app cases even when identification was initially challenging.

Will filing a complaint with the NPC affect my credit standing or future loan applications?
Filing a legitimate privacy complaint is a protected exercise of your rights and should not negatively affect your credit. Retaliatory reporting by the lender could itself constitute further violation.

Can multiple borrowers file together against the same app?
Yes. You can file individually or, in some situations, as a group with proper authorization. Each complainant’s evidence strengthens the overall case.

Is there a deadline for filing a complaint with the NPC?
While there is no strict short deadline like some court actions, act promptly. Evidence can become harder to preserve over time, and prescriptive periods apply to any related criminal aspects. Early filing also helps stop ongoing harm faster.

Can I claim money damages through the NPC complaint?
The NPC can award or facilitate civil damages in appropriate cases as part of enforcement. You may also file a separate civil action in court for damages under the Civil Code provisions on privacy and human dignity.

Key Takeaways

• Harassment involving the unauthorized use or disclosure of your personal data by online lending apps violates the Data Privacy Act of 2012 and falls under the jurisdiction of the National Privacy Commission.
• NPC Circular No. 20-01, as amended by Circular No. 2022-02, specifically prohibits contact harvesting and other excessive data practices common in online lending collection.
• You must first send a clear written notice to the lending company and allow 15 calendar days for a response before filing a formal complaint, and you must attach proof of this step.
• Strong, well-organized evidence—especially documentation linking the harassment directly to the app’s data processing—is essential for the complaint to proceed and succeed.
• Filing is possible electronically through the NPC eComplaint Portal or email, making it accessible even if you are overseas or outside Metro Manila.
• Past NPC actions against online lending apps have included immediate takedown orders, administrative penalties, and recommendations for criminal prosecution of responsible officers.
• The NPC process focuses on stopping the unlawful processing of your data and providing accountability; complementary complaints to the SEC or cybercrime authorities may be appropriate depending on the full circumstances of the harassment.

The procedures and forms on the official NPC website are the most current source. Many Filipinos in your exact situation have successfully used this process to assert their data privacy rights and obtain relief.