If you've been dealing with persistent collection calls, messages to your contacts, or the sense that your personal details remain active in online lending app systems long after any loan has been settled, you have specific rights under Philippine law to demand the removal or blocking of your information. The Data Privacy Act of 2012 empowers individuals to control how their personal data is handled by companies, including fintech lenders. This guide explains those rights clearly and walks you through the practical steps to request erasure from online lending apps, what to do when companies do not respond, and how to escalate effectively.

Your Rights Under the Data Privacy Act of 2012

Republic Act No. 10173, the Data Privacy Act of 2012 (DPA), protects the fundamental right to privacy while regulating how personal information is collected, stored, used, and shared. Under the law, you are a data subject — the individual whose personal information is being processed. The online lending app or its operating company is typically the Personal Information Controller (PIC), the entity that determines the purposes and means of processing your data. A Personal Information Processor (PIP) may handle data on behalf of the PIC (for example, a collection agency or analytics provider).

The DPA grants data subjects several key rights, including the right to be informed, the right to access your data, the right to object to processing, the right to rectification, and — most relevant here — the right to erasure or blocking. These rights apply to all personal information, which includes any data from which your identity can be reasonably ascertained (name, contact details, loan history, device information, photos, or contact lists accessed by the app). Some categories, such as health or government-issued identifiers, receive heightened protection as sensitive personal information, but the core rights cover ordinary personal data as well.

The Right to Erasure or Blocking

Section 16(e) of the Data Privacy Act states that you may “suspend, withdraw or order the blocking, removal or destruction of [your] personal information from the personal information controller’s filing system” upon discovery and substantial proof of specific grounds. These include:

• The data is incomplete, outdated, false, or unlawfully obtained.
• The data is being used for an unauthorized purpose.
• The data is no longer necessary for the purposes for which it was collected.
• You withdraw consent and there is no other legal basis for continued processing.
• Processing is unlawful or violates your rights as a data subject.

This right covers both live systems and backup copies. The PIC must also instruct any third-party processors or recipients (such as collection partners) to carry out the same erasure or blocking. Official guidance from the National Privacy Commission (NPC) confirms that the right extends even to personal data that has become publicly available online — the PIC is expected to coordinate with other controllers or search indexes to remove or de-list it where appropriate.

The right is not absolute. A lending company may lawfully refuse full erasure if the data remains necessary for fulfilling a contract (such as an active loan), complying with a legal obligation (for example, certain tax or anti-money laundering record-keeping rules), establishing or defending a legal claim, or other narrowly defined legitimate purposes consistent with industry standards. In such cases, you can still request blocking or restriction — limiting further use, sharing, or profiling while the data is retained only for the stated lawful purpose.

Why This Matters Specifically for Online Lending Apps

Many online lending apps request broad permissions (access to contacts, photos, location, device identifiers) that go beyond what is strictly necessary for lending. When these apps or their partners later use your contacts for collection calls, retain data indefinitely after repayment, or share information without proper basis, this can constitute unauthorized or excessive processing. Joint advisories from the Securities and Exchange Commission (SEC), Department of Information and Communications Technology (DICT), and NPC have repeatedly reminded online lending platforms to stop accessing non-borrower contacts and to comply with data privacy and fair collection rules. Violations are common in practice, which is why many borrowers successfully use the DPA process to regain control.

Step-by-Step Guide to Request Removal of Your Personal Information

Follow these steps in order. Most people start here and resolve the issue without needing to escalate.

1. Gather your evidence and identify the right recipient.
   Collect screenshots of the app’s privacy policy or notice (especially sections on data retention, sharing, and contact details for the Data Protection Officer or privacy team), your account or loan reference number, proof of any repayment or account closure, and records of any unwanted contacts or messages. Note the full legal name of the company (often found in the app store listing, privacy policy, or SEC registration if it is a registered lending or financing company). Look for a dedicated privacy or DPO email address. If none is listed, use the general support or corporate email but clearly label your message as a formal Data Privacy Act request.

2. Prepare a clear, written request.
   Send it by email (preferred, for easy proof) or registered mail/courier. Use a subject line such as: “Formal Data Subject Request for Erasure and Blocking of Personal Data under RA 10173 – [Your Full Name] / Account [Reference Number]”.
   In the body, include:

   • Your complete identification (full name, registered mobile number and email, account or loan reference).
   • A description of the personal data or categories you want erased or blocked (for example: profile and identity data, contact list information accessed by the app, device and location identifiers, marketing or profiling data, call/SMS logs, and any data shared with third parties).
   • The specific grounds (for example: “My loan was fully settled on [date] and the data is no longer necessary”; “I withdraw any prior consent for non-essential processing”; “The app accessed and used my contacts for collection purposes without authorization”).
   • Clear requests: erasure or destruction where possible; blocking/restriction of any data that must be retained; cessation of further processing or sharing; written confirmation within 15–30 days stating exactly what was deleted versus retained and the legal basis for any retention; and confirmation that instructions have been sent to any processors or third parties.
   • Your contact details for follow-up.

3. Send the request and keep meticulous records.
   Send from the email address associated with your account when possible. Take screenshots of the sent email and any delivery receipts. If mailing, use registered mail or a reputable courier and keep the receipt.

4. Follow up if there is no timely response.
   If you receive no substantive reply within 15 calendar days (the period used by the NPC for exhaustion of remedies), send a short follow-up referencing your original request and date sent. Document the lack of response.

5. Accept partial outcomes when reasonable.
   Many companies will delete or anonymize non-essential data (contacts, marketing profiles, device advertising IDs) while retaining core records for a limited period under a legal obligation or legitimate interest. Ask for a clear written explanation of what is being kept and why.

Escalating to the National Privacy Commission When the App Does Not Comply

If the lending company ignores your request, refuses without a valid legal basis, or continues unlawful processing (such as further sharing or harassment), you can file a formal complaint with the National Privacy Commission.

Important requirement: You must first exhaust internal remedies. This means you must have sent a written request to the company and given it 15 calendar days to respond or take appropriate action. Proof of this step (your letter/email and proof of sending) must be attached to your NPC complaint.

To file:

• Download the current Complaint-Affidavit form from the NPC website (privacy.gov.ph/filing-a-complaint/ or the dedicated complaints section). Use the latest version and follow any instructions or Q&A provided.
• Complete the form with clear, factual details of the violation and your prior request.
• Have the form notarized.
• Attach supporting evidence: copy of your erasure request and proof it was sent/received, any response (or none), screenshots of the app and privacy policy, records of harassment or unauthorized contacts, and any other relevant documents.
• Submit via the NPC’s preferred channels (email to complaints@privacy.gov.ph, any online portal listed on the website, in person, or by courier). Check the official site for the current physical office address (references include locations in Quezon City and Pasay City) and any e-filing options.

The NPC will evaluate the complaint, may conduct further investigation or require the company to explain its actions, and can issue orders requiring erasure, blocking, or other corrective measures. The Commission also has authority to impose penalties for violations. Resolution times vary but often take several months depending on complexity and case volume. You do not need a lawyer to file, although legal assistance can help organize strong evidence.

Common Challenges and Practical Scenarios

Many borrowers face unresponsive or “ghost” companies, apps that claim indefinite retention for vague “legal” reasons, or situations where data has already spread to multiple collection partners. In these cases, the formal paper trail you create with your initial request becomes powerful evidence for the NPC.

If the company is no longer operating or cannot be reached, the NPC can still investigate once you demonstrate reasonable efforts to contact it and provide identifying details (app name, former website, SEC registration number if available).

For active loans, full erasure of core contract data is usually not possible, but you can still request blocking of non-essential data, withdrawal of consent for marketing or profiling, and cessation of contact-list usage.

Overseas Filipino workers and foreigners have the same rights when the processing occurs in the Philippines or is carried out by an entity established or targeting individuals here. Email requests work well across time zones; enforcement remains through the NPC.

Harassment or threats through contacts should also be reported in parallel to the Philippine National Police (Anti-Cybercrime Group) or National Bureau of Investigation, and unfair collection practices can be raised with the SEC.

Frequently Asked Questions

Can I just uninstall the app or delete my account to remove my data?
No. Uninstalling or deactivating an account only affects the front-end interface. Backend data, backups, and any copies shared with processors usually remain unless you make a formal erasure or blocking request under the Data Privacy Act.

What kinds of data can I typically ask an online lending app to erase?
Common categories include contact lists the app accessed, device identifiers and advertising IDs, location history, marketing and profiling data, photos or media not essential to the loan, and any information no longer needed after the loan purpose has ended. Core identity and transaction records tied to an active legal obligation may be retained in restricted form.

Is loan or financial information considered sensitive personal information?
Not automatically in every case, but the Data Privacy Act still fully protects it as personal information. Certain government-issued financial identifiers or health-related data linked to a loan may qualify as sensitive and require stricter processing rules.

How long can lending apps legally keep my data after I pay off a loan?
Only as long as it remains necessary for a specific lawful purpose (for example, defending against future claims or meeting defined regulatory record-keeping periods). Once that necessity ends, you can request erasure or blocking. Vague “we keep data for X years” policies are challengeable if they are not justified and proportionate.

What if the app has already shared my data with collection agencies or other third parties?
The PIC remains responsible. In your request, explicitly ask it to instruct all recipients and processors to erase or block the data and to confirm in writing that this has been done. The NPC can order broader corrective action if needed.

Do I need a lawyer to request erasure or file with the NPC?
No. You can handle both steps yourself. Clear documentation and a well-organized Complaint-Affidavit are the most important elements. Many people successfully resolve issues at the initial request stage or with NPC assistance without legal representation.

Can foreigners or OFWs exercise these rights against Philippine lending apps?
Yes. The Data Privacy Act applies to processing in the Philippines or by controllers established here, and in certain cases to processing that targets Philippine data subjects. The process is the same; most communication happens by email.

What evidence is most helpful when filing a complaint with the NPC?
Proof that you sent a written erasure request and gave the company 15 days to respond, any reply received, screenshots showing the app’s data practices or continued processing, and records of any harm (such as unauthorized contacts made to your family or friends).

Will requesting erasure stop harassing collection calls and messages?
It often helps significantly because it forces the company to stop or restrict further processing and sharing. For immediate relief from threats or harassment, also report directly to the police or NBI while pursuing the privacy route.

Are there penalties for companies that violate these rights?
Yes. The NPC can issue compliance orders, require corrective actions including erasure, and impose administrative penalties. Serious or repeated violations may also lead to criminal liability under the Data Privacy Act.

Key Takeaways

• You have a clear legal right under Section 16(e) of the Data Privacy Act of 2012 to request the erasure or blocking of your personal information from online lending apps when it is no longer necessary, was unlawfully processed, or when you withdraw consent.
• Always start with a formal written request to the company (the PIC), clearly stating the data, grounds, and what you want done, and keep proof of sending.
• Give the company 15 calendar days to respond before escalating — this exhaustion step is required for NPC complaints.
• If the company does not comply properly, file a notarized Complaint-Affidavit with the National Privacy Commission, attaching your prior request and evidence; the NPC can order corrective action and penalties.
• Document everything, be specific in your requests, and consider parallel reports to the police or SEC when harassment or unfair collection practices are involved.
• The process works for both active and closed accounts, and for borrowers inside and outside the Philippines, though outcomes on retained data depend on whether a lawful basis for continued processing still exists.

Taking these steps puts you back in control of your personal information and holds companies accountable under Philippine law.