The rapid growth of online lending applications in the Philippines has transformed access to credit, enabling borrowers to secure short-term loans through mobile platforms with minimal documentation. These apps, which typically require users to submit extensive personal and financial information during onboarding, function as personal information controllers (PICs) under Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA). While convenient, the collection and processing of such data raise significant privacy concerns, particularly when borrowers seek to sever ties with a lender after loan repayment or for other legitimate reasons. This article provides a complete exposition of the legal right to request deletion of personal data from online lending apps, grounded exclusively in the DPA, its Implementing Rules and Regulations (IRR), and related issuances of the National Privacy Commission (NPC).

The Legal Framework: The Data Privacy Act of 2012

The DPA is the cornerstone of data protection in the Philippines. It applies to the processing of personal information by any natural or juridical person in the country, as well as to processing outside the Philippines when the PIC or personal information processor (PIP) offers goods or services to Philippine data subjects or monitors their behavior within the country. Online lending apps operating in the Philippines—whether locally incorporated or foreign entities serving Filipino users—fall squarely within its scope.

Under the DPA, “personal information” includes any information that can identify an individual, directly or indirectly, such as name, address, email, phone number, government identification numbers (e.g., SSS, TIN, passport), financial details, credit history, biometric data, and even geolocation or device identifiers collected by the app. “Sensitive personal information” receives heightened protection and includes data on race, ethnic origin, health, education, financial status, and government-issued IDs processed for non-governmental purposes.

PICs, such as online lending companies, are responsible for ensuring compliance with the DPA’s principles of transparency, legitimate purpose, and proportionality. They must appoint a Data Protection Officer (DPO) and implement appropriate security measures. Failure to comply exposes them to administrative fines of up to PHP 5 million per violation, as well as civil and criminal liability.

The Right to Erasure or Blocking

Section 16 of the DPA explicitly grants data subjects the right to erasure or blocking of their personal data. This right, often referred to as the “right to be forgotten” or right to erasure, is one of the most powerful tools available to individuals. A data subject may request the suspension, withdrawal, blocking, removal, or destruction of their personal data from the PIC’s filing system under any of the following grounds:

1. The personal data is incomplete, outdated, false, or unlawfully obtained;
2. The data is being processed for a purpose no longer necessary or relevant to the original purpose for which it was collected;
3. The data subject withdraws consent on which the processing is based, where consent is the legal basis;
4. The data subject objects to the processing and there are no overriding legitimate grounds for the processing;
5. The processing is unlawful; or
6. Erasure is required or authorized by law, court order, or regulation.

In the context of online lending apps, the most common triggers are (a) completion of the loan term and full repayment, rendering further retention unnecessary; (b) withdrawal of consent to processing; or (c) discovery that the app continues to use or share data beyond the stated purpose (e.g., for marketing or credit scoring after the relationship has ended).

The IRR further clarifies that the right extends to both structured and unstructured data, including backups, provided technical feasibility allows. Deletion must be permanent and irreversible where possible, though the law recognizes that certain retention obligations may override the request.

Exceptions and Limitations to the Right to Erasure

The right to erasure is not absolute. Section 16 of the DPA and Rule V of the IRR provide exceptions where a PIC may lawfully refuse or only partially comply with a deletion request. These include situations where:

• Retention is necessary to comply with a legal obligation (e.g., Bangko Sentral ng Pilipinas (BSP) or Securities and Exchange Commission (SEC) regulations on record-keeping for lending entities, anti-money laundering laws under Republic Act No. 9160 as amended, or tax requirements under the National Internal Revenue Code);
• The data is needed for the establishment, exercise, or defense of legal claims (e.g., ongoing collection proceedings or disputes);
• Retention serves public interest, public health, or historical, statistical, or scientific research purposes;
• Erasure would render impossible or seriously impair the performance of contractual obligations; or
• The data forms part of a credit information system report submitted to the Credit Information Corporation (CIC) or other authorized credit bureaus, which operate under separate but complementary rules.

Online lending apps must therefore distinguish between data they control directly (e.g., internal loan files, chat logs, device fingerprints) and data they have already shared with third parties (e.g., credit scoring agencies or collection partners). Deletion requests typically require the PIC to notify third-party recipients and request corresponding deletion, but the PIC is not liable for non-compliance by independent third parties unless it failed to exercise due diligence.

Step-by-Step Procedure for Requesting Deletion

Data subjects should follow a structured, documented process to exercise their right effectively.

Step 1: Confirm Applicability and Gather Evidence
Verify that the online lending app is subject to Philippine jurisdiction (most apps targeting Filipino users are). Review the app’s privacy policy to identify the exact categories of personal data collected and any stated retention periods. Retain screenshots of loan agreements, repayment confirmations, account closure notices, and the privacy policy itself.

Step 2: Identify the Proper Recipient
Every PIC must designate a DPO or a designated contact person for data privacy concerns. Contact details are usually found in the app’s privacy policy, “About Us” section, or footer of the website. If not readily available, the NPC’s online registry of PICs may be consulted. Requests should be addressed to the DPO by name or title.

Step 3: Prepare a Formal Written Request
The request must be in writing (email or registered mail is acceptable; physical letters provide stronger proof of service). Key elements to include:

• Full name and other identifying details (to enable verification);
• Proof of identity (e.g., scanned valid ID with photo and signature);
• Specific description of the personal data to be deleted (e.g., “all personal information, sensitive personal information, transaction history, credit score data, device information, and communications stored in relation to Loan Account No. XXXXX”);
• Legal basis for the request, citing Section 16 of the DPA and the specific ground(s) relied upon (e.g., “the processing is no longer necessary as the loan has been fully paid and closed”);
• Preferred method of confirmation (e.g., written acknowledgment and proof of deletion);
• Date of request and desired compliance timeline; and
• Contact details for follow-up.

A template request letter should be clear, concise, and polite but firm. Multiple requests for the same data are unnecessary; one comprehensive request suffices.

Step 4: Submit the Request
Send via the app’s official support email, in-app messaging system, or registered mail with return receipt. Retain copies of the entire correspondence, including delivery receipts. The DPA does not prescribe a specific format, but written documentation creates an audit trail essential for enforcement.

Step 5: Monitor and Follow Up
The PIC is required to act “promptly” upon receipt. While the DPA itself does not fix a strict deadline, NPC guidelines and best practices expect compliance within 30 days, extendable only for valid reasons with notice to the data subject. The PIC must provide a written response explaining any action taken or the basis for any refusal.

Step 6: Verify Deletion
Upon confirmation, request a detailed report of what was deleted, the date of deletion, and confirmation that no copies remain in active or backup systems (subject to technical feasibility). For lending apps, insist on confirmation that the data has been removed from internal databases and any linked credit reporting systems where permissible.

Obligations of the Online Lending App

Upon receipt of a valid request, the PIC must:

• Verify the requester’s identity without undue delay;
• Cease further processing of the data (except for retention justified by exceptions);
• Notify all PIPs and third-party recipients of the erasure request;
• Update its internal records to reflect the action taken;
• Inform the data subject in a clear and accessible manner; and
• Maintain logs of the request for accountability purposes (the NPC may require production of these records).

Failure to respond, unjustified denial, or continued processing after a valid erasure request constitutes a violation punishable by the NPC.

Remedies When the Request Is Denied or Ignored

If the lending app denies the request, it must provide a clear explanation grounded in the exceptions under the DPA. The data subject may then:

1. Request reconsideration, providing additional justification;
2. File a formal complaint with the NPC within the prescribed period (generally two years from knowledge of the violation, subject to rules on prescription);
3. Seek judicial relief through a petition for writ of habeas data or damages under the Civil Code if actual harm (e.g., continued harassment or identity theft) results.

To file with the NPC: Submit a verified complaint through the NPC’s official portal or at its office, including all supporting documents. The NPC may conduct mediation, investigation, or impose administrative sanctions. Criminal complaints may be filed separately with the Department of Justice or the Office of the Prosecutor if the violation warrants it.

Special Considerations for Online Lending Apps

Online lending platforms present unique challenges. Many are regulated by the BSP as lending companies or by the SEC as financing entities. BSP Circulars require retention of loan-related records for a minimum period (often five to ten years depending on the nature of the transaction) to support supervision, audit, and anti-fraud measures. Credit data shared with the CIC under Republic Act No. 9510 (Credit Information System Act) follows separate retention rules.

Cross-border data flows are common; many apps store data on foreign servers. The DPA requires adequate safeguards (e.g., Binding Corporate Rules or Standard Contractual Clauses) for such transfers. Data subjects retain the right to erasure regardless of storage location, and the Philippine PIC remains primarily accountable.

Apps may also use automated decision-making (e.g., AI credit scoring). The DPA grants data subjects the right to object to decisions based solely on automated processing that produce legal or significant effects. Deletion requests can encompass the underlying training or profiling data where lawful.

Practical Tips for Effective Compliance

• Act promptly after loan closure; delays may weaken the “no longer necessary” argument.
• Avoid using generic support tickets—address the DPO directly.
• Keep records of every interaction.
• If multiple apps are involved (e.g., after refinancing), submit parallel requests.
• Monitor credit reports from CIC or other bureaus separately, as deletion from one lender’s system does not automatically purge shared credit data.

The right to erasure under the DPA empowers Filipino borrowers to reclaim control over their personal data once the legitimate purpose of processing has ended. By understanding the legal grounds, following the prescribed procedure, and invoking the NPC’s enforcement mechanisms when necessary, data subjects can effectively compel online lending apps to honor their privacy rights while navigating the legitimate regulatory and contractual obligations that lenders must observe. This balance ensures both consumer protection and a stable digital lending ecosystem.