How to Request Data Deletion from Online Lending Apps Under the Data Privacy Act

This article explains your rights and practical steps to request deletion of your personal data from online lending apps (“OLAs”) under Republic Act No. 10173 or the Data Privacy Act of 2012 (the “DPA”), its Implementing Rules and Regulations (IRR), and related guidance from the National Privacy Commission (NPC). It is general information, not legal advice.

1) Why this matters

Many OLAs collect far more data than is necessary—device identifiers, geolocation, contact lists, photos, transaction history, and behavioral data—then use it for scoring, collections, or targeted ads. The DPA gives you enforceable rights to control that data, including the right to have it deleted or blocked in many situations.

2) The legal foundations (in plain language)

2.1. Rights you can rely on

Under the DPA and IRR, data subjects (you) have, among others, the rights to:

  • Be informed how your data will be used;

  • Object to processing that’s unnecessary, unlawful, or based on consent you now withdraw;

  • Access and rectify personal data;

  • Erasure or blocking of personal data when:

    • the data is no longer necessary for the stated purpose;
    • you withdraw consent and there is no other lawful basis to keep processing;
    • data was unlawfully obtained or processed;
    • data pertains to a child and was processed without proper consent and safeguards;
    • continued processing would violate your rights.

2.2. Lawful bases OLAs typically claim

An OLA can only process personal data if it has a lawful basis. Common ones include:

  • Consent (e.g., in-app prompts and privacy notices);
  • Contract necessity (to provide the loan you requested);
  • Legal obligations (e.g., anti-money laundering, tax, audit);
  • Legitimate interests (balanced against your rights);
  • Protection of vitally important interests (rare in OLA context).

When you invoke deletion, the OLA must show it still has a lawful basis to keep your data. If it can’t, it must delete or at least block/restrict further processing.

2.3. Key limits and carve-outs (where deletion can be refused)

Your deletion request does not override mandatory retention laws. Common examples:

  • Anti-Money Laundering Act (AMLA) and related rules require at least five (5) years retention of records by covered persons (which generally include lending/financing companies and many fintechs).
  • Tax/audit laws require retention of accounting records for legally prescribed periods.
  • Establishment, exercise, or defense of legal claims (e.g., collections, litigation). In these cases, the OLA must restrict data to storage-only, use it only for the specific legal purpose, and stop all other processing (marketing, profiling, sharing, contact-list use, etc.).

3) What “deletion,” “blocking,” and “anonymization” mean

  • Deletion: Erasing personal data so it cannot be reconstituted; this includes backups and third-party processors, unless retention is legally required.
  • Blocking/Restriction: Keeping data but freezing active use and access, except for a narrow legal purpose (e.g., AMLA or litigation).
  • Anonymization: Irreversibly removing identifiers so the data no longer relates to an identifiable person. Proper anonymization can satisfy an erasure request where full deletion would break system integrity or legal hold—provided re-identification is not possible.

4) Common OLA problem areas (and how the DPA applies)

  • Contact-list scraping and “debt shaming”: Collecting and using your phone contacts to pressure repayment is almost always unnecessary and disproportionate. Unless a clear lawful basis exists (it typically does not), this processing is unlawful, giving you stronger grounds for erasure/blocking and complaint.
  • Overbroad permissions (camera, location, storage): If permissions are not necessary for providing the loan or are retained after they’re no longer needed, you may withdraw consent and seek erasure/restriction.
  • Misleading or vague privacy notices: If the app didn’t clearly inform you of uses or sharing, continued processing may be unlawful and subject to erasure.

5) Step-by-step: How to request deletion from an OLA

Step 1: Gather your materials

  • Your full name and identifiers the app uses (registered email/number; loan account or reference number).
  • Proof of identity (government ID) and, if emailing, a selfie with the ID (many controllers require this to authenticate the request).
  • Screenshots (optional but helpful): app permissions, messages, collection practices, contacts accessed, harassment, etc.

Step 2: Locate the Data Protection Officer (DPO) contact

  • Check the app’s privacy notice, app store listing, or in-app help center for the DPO or privacy email and postal address.

Step 3: Send a Data Subject Request (DSR) for erasure/blocking

  • Clearly state you are invoking your Right to Erasure/Blocking under the DPA and IRR.
  • Specify which data and processing you want stopped (e.g., contact list, location, device IDs, marketing, profiling; or all personal data not required by law).
  • If you withdraw consent, say so expressly and ask the OLA to identify any remaining lawful basis it relies on.
  • Ask them to cascade deletion to processors and third-party recipients (debt collectors, analytics, ad tech, affiliates).
  • Request written confirmation of actions taken and, if refusing, a legal citation for the refusal.

Turnaround time: The DPA expects controllers to act promptly and reasonably. In practice, give a clear deadline (e.g., 15 calendar days) for confirmation. While the law does not fix a single universal number of days for all requests, putting a reasonable date in your letter creates a clear record.

Step 4: Follow up

  • If you receive no reply or an inadequate one, send a polite follow-up referencing your first request and the deadline.

Step 5: Escalate

  • You may file a complaint with the National Privacy Commission (NPC). Provide: your requests, the OLA’s reply (or lack thereof), proof of identity, and evidence of the contested processing (e.g., debt-shaming messages, call logs).
  • You may also seek civil damages under the DPA for violations of your rights.

6) Model deletion request (copy-paste template)

Subject: Data Subject Request – Right to Erasure/Blocking under the Data Privacy Act To: [Data Protection Officer / Privacy Office Email of OLA]

Dear DPO,

I am exercising my Right to Erasure/Blocking under the Data Privacy Act of 2012 and its IRR.

Account details:

  • Full name: [Your name]
  • Registered mobile no./email: [Your mobile/email]
  • Loan/account/reference no.: [If any]

Request:

  1. Delete all my personal data that is no longer necessary for providing my closed or current loan, including but not limited to: device identifiers, geolocation, contact list, photos/media, marketing and analytics data, and any profiles or scores derived from such data.
  2. I hereby withdraw any consent previously given for processing (including access to my contact list, camera, microphone, location, storage, marketing, and profiling).
  3. If you claim any legal basis to continue processing specific data (e.g., AMLA retention), please identify it and restrict that data to storage-only, for the minimum period required by law, with no other processing.
  4. Please cascade this request to all processors and third-party recipients (including debt collection agencies, analytics providers, and affiliates) and confirm completion.

Security/Backups: Ensure deletion from active systems and that any retained backups are put on a restricted retention schedule and not restored or used, except for legal audit requirements.

Response and confirmation: Please confirm in writing the actions taken and the date of completion within 15 calendar days. If you deny any part of this request, kindly provide a specific legal reason and the data categories affected.

I attach proof of identity: [description].

Sincerely, [Your full name] [Date]

7) What a compliant OLA should do after your request

  • Authenticate your identity in a proportionate way (no excessive new data collection).
  • Assess which data is still necessary or legally required to retain; delete or anonymize the rest.
  • Restrict retained data to storage-only where a legal obligation exists; turn off non-essential processing (marketing, profiling, contact-list access).
  • Notify processors/recipients to do the same and maintain an audit trail.
  • Provide a clear written response describing what was deleted, what was restricted and why, how long retention will last, and whom they notified.

8) Special issues in lending contexts

8.1. Collections and contact lists

  • Using your contact list to harass or shame you or your acquaintances is typically unlawful and disproportionate. Your request should explicitly forbid further contact of third parties whose data was scraped via your device.

8.2. Device permissions

  • After loan approval (or after you withdraw consent), most intrusive permissions (contacts, camera, precise location, microphone, photo library) are rarely necessary. Request revocation and deletion of the data already collected under those permissions.

8.3. Scoring and profiling

  • If an OLA built a profile/score from your device data, ask for it to be deleted or decoupled (anonymized) unless there is a compelling and lawful basis to retain it.

9) Evidence to keep (for escalation)

  • Copies of your DSR emails/letters and delivery receipts.
  • Screenshots of app permissions and settings.
  • Call/SMS logs and messages from collectors or third parties.
  • Any privacy notices or consents you were shown.
  • The OLA’s responses and timestamps.

10) If the OLA denies or partially grants your request

Ask the OLA to:

  • Identify each data category it will retain and why (exact legal basis or contractual necessity).
  • Provide the retention period and how restriction is enforced (technical and organizational controls).
  • Confirm third-party notifications and provide a list of categories of recipients (specific names where feasible).

If the explanation is generic or evasive, you may escalate to the NPC with your documentation.

11) Practical FAQs

Q: Can I demand deletion while I still have an unpaid loan? A: You can withdraw consent and seek deletion of data not necessary for the contract or legal obligations. The OLA may retain necessary data (identity, account, transactions, contact information you provided) to service/collect the loan or comply with AMLA. Everything else (e.g., contact list, location history, analytics) should be deleted or restricted.

Q: Can they keep my records forever because of AMLA? A: No. AMLA sets minimum retention (commonly five years), not indefinite retention. After the period, data should be securely disposed of, unless another valid legal hold applies.

Q: Do I need to uninstall the app? A: It’s prudent after you send your request and confirm deletion/restriction. Also revoke permissions in your device settings.

Q: What if the OLA is overseas? A: The DPA applies to processing of personal data about individuals in the Philippines in many scenarios. If cross-border transfers occurred, the controller must still ensure adequate protection, honor your rights, and cascade your request to its processors.

Q: They never named a DPO. What now? A: Send your request to the general support email and postal address in the privacy notice, and note that the DPA requires a DPO. Keep your proof of dispatch for the NPC.

12) For OLAs: compliance checklist (short version)

  • Maintain a Register of Processing Activities with purposes, bases, retention, recipients.
  • Use data minimization: collect only what’s necessary; justify each permission.
  • Implement consent flows that are granular and easy to withdraw.
  • Establish DSR procedures: verify identity, respond promptly, document actions.
  • Contractually bind processors to cascade deletions/restrictions and help fulfill DSRs.
  • Enforce role-based access, logging, encryption, and backup deletion schedules.
  • Turn off debt-shaming practices; prohibit scraping of contacts or social graphs without a demonstrable, lawful, and proportionate basis (which is rarely present).

13) Quick action plan (for individuals)

  1. Export or note your account details.
  2. Send the deletion/blocking request (template above) to the DPO.
  3. Set a reply window (e.g., 15 days) and keep records.
  4. Follow up once if needed.
  5. Escalate to the NPC with your dossier if you’re ignored or unlawfully refused.

If you want, I can tailor the template to your specific OLA and situation (e.g., unpaid vs. closed loan, what data was collected, whether there was harassment), and draft a follow-up or NPC complaint memo based on your evidence.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login