Online Lending App Texting Boss and Relatives as Data Privacy Violation

I. Introduction

Online lending apps have become common in the Philippines because they offer fast loan approval, minimal paperwork, and convenient access through mobile phones. However, many borrowers have reported abusive collection practices, including online lending companies or their collection agents sending text messages to the borrower’s employer, boss, co-workers, relatives, friends, or phone contacts.

A typical complaint involves messages such as:

“Your employee has an unpaid loan. Please tell him to settle immediately.”

or:

“Your relative is a scammer and refuses to pay his debt.”

or:

“We will report your family member to the barangay, police, employer, and social media if payment is not made today.”

This practice raises serious legal issues under Philippine law. While lenders may lawfully collect unpaid debts, they cannot freely disclose a borrower’s personal information, shame the borrower, harass third persons, access phone contacts without valid consent, or use threats and humiliation as collection methods.

In the Philippine context, texting a borrower’s boss, relatives, co-workers, or phone contacts may constitute a data privacy violation, an unfair debt collection practice, and, depending on the message, may also involve cyber libel, unjust vexation, grave coercion, threats, harassment, or other civil, criminal, or administrative liability.

II. The Core Legal Issue

The central question is:

Can an online lending app contact a borrower’s boss, relatives, friends, or other third persons about the borrower’s unpaid loan?

The general answer is:

Not freely, and not in a manner that discloses the borrower’s debt, shames the borrower, threatens the borrower, or processes third-party contact information without lawful basis.

A lending company may have a legitimate interest in collecting a debt. However, that interest does not automatically authorize the company to:

  • Access the borrower’s entire phonebook;
  • Use phone contacts for collection pressure;
  • Tell the borrower’s employer about the debt;
  • Shame the borrower before relatives or co-workers;
  • Send defamatory or threatening messages;
  • Misrepresent legal consequences;
  • Contact third persons who are not co-makers, guarantors, sureties, references, or authorized representatives;
  • Continue contacting third persons after being told to stop;
  • Use personal information beyond the purpose for which it was collected.

Debt collection must still comply with the Data Privacy Act of 2012, the rules of the National Privacy Commission, lending and financing regulations, and general civil and criminal laws.

III. What Personal Data Is Involved?

When an online lending app texts a boss or relative about a borrower’s loan, several kinds of personal data may be involved.

A. Personal information of the borrower

The borrower’s personal information may include:

  • Full name;
  • Mobile number;
  • Address;
  • Employer or workplace;
  • Job position;
  • Loan status;
  • Loan amount;
  • Payment history;
  • Default status;
  • Alleged delinquency;
  • Contact list;
  • References;
  • Photos or profile information;
  • ID documents;
  • App usage data.

The fact that a person has borrowed money or is allegedly overdue is personal information. It relates to the borrower’s financial condition and reputation.

B. Sensitive personal information

Some data collected by lending apps may be sensitive, such as:

  • Government-issued ID numbers;
  • Financial account details;
  • Health-related information, if requested;
  • Biometrics or facial recognition data;
  • Information about marital or family circumstances;
  • Location data, depending on how it is collected and used.

Sensitive personal information receives stricter protection.

C. Personal information of third persons

The boss, relatives, friends, and phone contacts are also data subjects. Their names, numbers, relationship to the borrower, workplace information, and contact details are personal information.

This is often overlooked. When a lending app uploads, stores, scans, or uses a borrower’s contact list, it is not only processing the borrower’s data. It is also processing the personal data of hundreds or thousands of third persons who may never have consented to the lending app’s access.

IV. Why Contacting the Boss or Relatives Can Be a Data Privacy Violation

Texting a boss or relative may violate data privacy principles because it usually involves unauthorized or excessive disclosure of personal information.

1. Unauthorized disclosure of debt information

A borrower’s loan status is private. Informing the employer, boss, relative, or co-worker that the borrower has an unpaid loan may be an unauthorized disclosure of personal information.

Even if the loan is real, the lender must still have a lawful basis to disclose it to third persons. Debt collection does not automatically justify public or semi-public disclosure.

2. Processing beyond the original purpose

If the borrower gave access to contacts only for verification, reference checking, or app functionality, the lender cannot later use those contacts for harassment, shaming, or collection pressure.

Under data privacy principles, personal data must be collected for a specified and legitimate purpose and must not be used in a way incompatible with that purpose.

3. Excessive processing

Using an entire phonebook to pressure a borrower is usually excessive. A lender may need reasonable contact information, but it does not need to message a borrower’s boss, relatives, classmates, customers, or distant acquaintances to collect a debt.

Data processing must be proportionate. The means used must be suitable, necessary, and not excessive in relation to the purpose.

4. Lack of consent from third persons

The borrower’s contacts did not necessarily consent to have their numbers collected or used by the lending app. Even if the borrower allowed phonebook access, that does not automatically mean each contact consented to receive collection messages.

A borrower cannot normally give blanket consent on behalf of unrelated third persons.

5. Harassment and public shaming

Messages intended to embarrass the borrower are inconsistent with fair and lawful processing. Public shaming, threats, insults, or defamatory accusations are not legitimate debt collection methods.

6. Violation of confidentiality

Lenders handle financial information. They are expected to treat borrower information with confidentiality. Disclosing a loan to third persons may breach that duty.

V. Data Privacy Principles Applicable to Online Lending Apps

The Data Privacy Act is built on important principles that apply to online lending apps.

A. Transparency

The borrower must be informed how personal data will be collected, used, stored, shared, and disclosed.

A privacy notice should not be vague. It should explain:

  • What data is collected;
  • Why it is collected;
  • Whether phone contacts are accessed;
  • Whether third persons will be contacted;
  • Who will receive the data;
  • How long data will be stored;
  • How the borrower can exercise data privacy rights;
  • Whether collection agents or third-party service providers will process the data.

A lending app cannot hide abusive practices inside broad or confusing terms and conditions.

B. Legitimate purpose

Data must be processed only for a declared and lawful purpose. Loan evaluation, fraud prevention, identity verification, and collection may be legitimate purposes. But harassment, humiliation, intimidation, and reputational pressure are not legitimate purposes.

C. Proportionality

Only data necessary for the stated purpose should be collected and used. For example, a lender may reasonably require identity documents, contact information, income information, and references. But access to the borrower’s entire phonebook, photo gallery, social media accounts, or employer network may be excessive unless clearly justified.

Mass texting contacts is especially questionable because it is a broad and intrusive method of collection.

VI. Consent Is Not Always a Valid Defense

Online lending apps often argue that the borrower “consented” by clicking “I agree” or by allowing access to contacts. This defense is not always valid.

A. Consent must be informed

Consent is weak if the borrower was not clearly told that the lender would access the phonebook and text relatives, friends, or employers about unpaid loans.

A general phrase such as “we may use your contacts for collection purposes” may still be challenged if it is unclear, buried in lengthy terms, or used to justify abusive conduct.

B. Consent must be specific

Consent should identify the specific data and specific purpose. Consent to process data for loan verification is not necessarily consent to send humiliating messages to a boss.

C. Consent must be freely given

If access to contacts is forced as a condition for using the app, the consent may be questionable, especially if the data collected is unnecessary or excessive.

D. Consent does not legalize harassment

Even if the borrower consented to being contacted, the lender still cannot use threats, insults, defamatory statements, or unlawful pressure.

E. Consent by the borrower does not equal consent by all contacts

The borrower’s relatives, boss, or friends are separate data subjects. Their personal data cannot be treated as freely usable simply because their number is saved in the borrower’s phone.

VII. When Contacting a Third Person May Be Permissible

Not every third-party contact is automatically unlawful. There are limited situations where contacting another person may be allowed.

1. Co-maker, co-borrower, guarantor, or surety

If the third person signed as co-maker, co-borrower, guarantor, or surety, the lender may contact that person regarding the obligation. Even then, communication must remain respectful, truthful, and limited to the necessary purpose.

2. Character reference

If a person was voluntarily listed as a reference, the lender may contact the reference for verification. However, being a reference is not the same as being liable for the debt. The lender should not pressure the reference to pay unless the reference legally undertook liability.

3. Authorized representative

If the borrower authorized a person to receive communications or act on the borrower’s behalf, the lender may communicate with that person within the scope of authority.

4. Emergency or identity verification

Limited contact may be justified for legitimate verification or fraud prevention. But disclosure should be minimized. The lender should not reveal unnecessary loan details.

5. Court, regulator, or lawful process

Disclosure may be allowed when required by law, court order, subpoena, or lawful regulatory process.

In all cases, the communication must be limited, necessary, and respectful. A legitimate reason to contact someone is not a license to shame the borrower.

VIII. Texting the Borrower’s Boss or Employer

Texting the borrower’s boss is especially problematic.

Employment information is sensitive in practical effect because disclosure of alleged debt delinquency can harm the borrower’s job, reputation, promotion prospects, and workplace relationships.

A lender who texts the boss may be attempting to use employment pressure to force payment. This can amount to harassment or unfair collection, especially if the message says or implies that:

  • The borrower is dishonest;
  • The borrower is a scammer;
  • The borrower should be disciplined at work;
  • The employer should force payment;
  • The borrower’s debt should be announced at the workplace;
  • The employer is responsible for the employee’s loan;
  • The company will be sued or reported because of the employee’s debt.

Unless the employer is a co-maker, guarantor, authorized payroll deduction party, or otherwise legally involved in the loan, disclosure to the boss is generally difficult to justify.

A properly limited message, if allowed at all, should avoid disclosing the debt. For example, a neutral request such as “Please ask Mr. X to contact our office regarding a private matter” is less intrusive than saying “Your employee has an overdue loan.” But even repeated neutral messages may become harassment if excessive.

IX. Texting Relatives and Friends

Texting relatives and friends is also problematic unless they are legally involved in the loan.

A relative is not automatically liable for a borrower’s debt. A parent, spouse, sibling, child, cousin, or friend cannot be forced to pay unless he or she signed as co-borrower, guarantor, surety, or otherwise assumed legal liability.

A collection agent violates privacy and fair collection standards when he or she tells relatives:

  • The borrower owes money;
  • The borrower is overdue;
  • The borrower is evading payment;
  • The family should pay;
  • The borrower will be arrested;
  • The family will be reported;
  • The borrower will be posted online;
  • The borrower is a fraudster or scammer.

The lender may contact a listed reference only within proper limits. A reference may be asked to help locate or communicate with the borrower, but the collector should not disclose unnecessary financial information or threaten the reference.

X. Accessing the Borrower’s Phone Contacts

A major issue with online lending apps is permission to access contacts.

Some lending apps request access to:

  • Phonebook;
  • Call logs;
  • SMS;
  • Photos;
  • Camera;
  • Location;
  • Social media;
  • Device ID;
  • Installed apps;
  • Storage.

For lending purposes, the most controversial is contact list access.

A. Why contact access is dangerous

When a borrower grants contact access, the app may collect names and numbers of relatives, friends, employers, clients, suppliers, doctors, lawyers, teachers, and other private contacts. This allows the lender to pressure the borrower through social exposure.

B. Contact access may be excessive

A loan app may need identity verification, but it rarely needs the borrower’s entire contact list. If only one or two references are needed, collecting the entire phonebook may be excessive.

C. Third persons did not consent

Contacts did not agree to be included in a lender’s database. They did not agree to receive collection messages. They did not agree to have their relationship to the borrower analyzed.

D. App permissions do not override law

Phone permission settings are not a substitute for legal compliance. Just because a user clicked “Allow Contacts” does not mean the lender may use the data for any purpose.

XI. Harassing or Shaming Messages

A message may become legally actionable not only because it discloses personal data, but also because of its tone and content.

Problematic messages include those that:

  • Call the borrower a scammer, thief, fraudster, or criminal;
  • Threaten arrest for nonpayment of an ordinary loan;
  • Threaten to post the borrower on social media;
  • Threaten to contact all phone contacts;
  • Threaten the borrower’s employer;
  • Use obscene or insulting language;
  • Send repeated messages at unreasonable hours;
  • Send messages to many relatives or co-workers;
  • Pretend to be from a court, police, NBI, barangay, or prosecutor;
  • Use fake case numbers;
  • Misrepresent civil debt as a criminal offense;
  • Pressure relatives to pay;
  • Shame the borrower’s family;
  • Use the borrower’s photo or ID in a humiliating layout;
  • Create group chats to shame the borrower.

These practices may support complaints before regulators and may expose the lender or collection agent to civil and criminal liability.

XII. Debt Collection vs. Harassment

A lender has the right to collect. A borrower has the obligation to pay a valid debt. But collection must be lawful.

Lawful collection may include:

  • Sending reminders to the borrower;
  • Calling the borrower at reasonable times;
  • Sending demand letters;
  • Offering restructuring;
  • Referring the account to a legitimate collection agency;
  • Filing a civil collection case;
  • Reporting to proper credit systems where legally allowed;
  • Enforcing valid security or collateral arrangements;
  • Communicating with co-makers or guarantors.

Unlawful or abusive collection may include:

  • Public shaming;
  • Threats of violence;
  • False threats of imprisonment;
  • Texting uninvolved relatives;
  • Texting the borrower’s employer;
  • Posting the borrower’s photo online;
  • Mass messaging phone contacts;
  • Using profanity;
  • Pretending to be law enforcement;
  • Disclosing debt to third persons;
  • Calling repeatedly to annoy or intimidate;
  • Using fake legal documents;
  • Using personal data for purposes not disclosed or consented to.

The law does not protect debt evasion, but neither does it allow debt collection through humiliation.

XIII. Liability Under the Data Privacy Act

The Data Privacy Act may apply because the lending app and its collection agents process personal information.

Possible violations may include:

1. Unauthorized processing

Processing personal data without lawful basis may be unauthorized processing.

2. Processing for unauthorized purposes

Using collected data for harassment, shaming, or pressure may go beyond the declared purpose.

3. Unauthorized disclosure

Telling a boss, relative, co-worker, or friend about the borrower’s debt may be unauthorized disclosure.

4. Malicious disclosure

Disclosure made with malice, bad faith, or intent to shame may be more serious.

5. Improper disposal or security failure

If borrower data or contact lists are leaked, sold, shared, or mishandled, the lender may face liability for poor data protection.

6. Failure to respect data subject rights

Borrowers and affected third persons may exercise rights such as access, correction, objection, erasure or blocking, and complaint.

The National Privacy Commission may investigate complaints and impose appropriate action depending on the circumstances.

XIV. Liability of Collection Agencies

Online lenders often outsource collection to third-party agencies. A lender cannot avoid liability simply by blaming a collector.

If a collection agency acts on behalf of the lender, both may potentially be liable depending on their roles:

  • The lender may be the personal information controller;
  • The collection agency may be a personal information processor or independent controller, depending on the arrangement;
  • Both must comply with privacy and collection rules;
  • The lender must choose and supervise collection agencies properly;
  • The lender should have data sharing or processing agreements;
  • The lender should ensure collectors follow lawful methods.

If the collector sends abusive messages, the borrower may complain against the collector, the agency, and the lending company, depending on evidence.

XV. Liability of Individual Collection Agents

Individual agents may also be personally liable if they personally sent threats, insults, defamatory messages, fake legal notices, or unauthorized disclosures.

A collector cannot simply say, “I was only doing my job.” Employment or agency does not excuse unlawful acts.

Possible personal exposure may include:

  • Civil liability for damages;
  • Criminal complaint for threats, coercion, unjust vexation, libel, cyber libel, or other offenses depending on facts;
  • Administrative consequences if working for a regulated entity;
  • Data privacy-related liability where applicable.

XVI. Cyber Libel and Defamatory Messages

If a lending app or collector sends messages accusing the borrower of being a scammer, criminal, thief, fraudster, or immoral person, cyber libel may be considered if the elements are present.

Cyber libel generally involves defamatory imputation made through a computer system or similar means, identifying a person, published to another person, with malice.

Texting a boss or relatives may constitute publication to third persons. If the message falsely or maliciously harms the borrower’s reputation, it may support a complaint.

Even if the borrower owes money, calling the borrower a criminal or scammer may still be defamatory if the statement goes beyond the truth or falsely imputes a crime or dishonorable conduct.

XVII. Threats, Coercion, and Unjust Vexation

Collection messages may also raise issues under criminal law.

A. Threats

A message may constitute a threat if it warns of harm, exposure, false prosecution, or other unlawful consequences to force payment.

B. Coercion

If the collector uses intimidation to force the borrower or relatives to do something against their will, coercion may be considered.

C. Unjust vexation

Repeated annoying, humiliating, or distressing messages may be treated as unjust vexation depending on the facts.

D. Grave scandal or alarm-related offenses

In extreme cases involving public disturbance or scandalous conduct, other offenses may be examined.

The specific complaint depends on the exact words, frequency, recipients, and context.

XVIII. Misrepresentation of Legal Consequences

Many collectors falsely tell borrowers:

  • “You will be arrested today.”
  • “Police are on the way.”
  • “A warrant has been issued.”
  • “Your case is already filed in court.”
  • “You are charged with estafa.”
  • “Your employer will be sued.”
  • “Your family will be blacklisted.”
  • “Your barangay captain will arrest you.”

For an ordinary unpaid loan, the usual remedy is civil collection, not automatic imprisonment. Nonpayment of debt alone does not automatically make a person a criminal.

There may be criminal liability in cases of fraud, false pretenses, falsified documents, bouncing checks, identity theft, or similar facts. But collectors cannot casually threaten arrest just to force payment.

Fake legal threats may support complaints for harassment, unfair collection, deception, or other legal action.

XIX. The Role of the National Privacy Commission

The National Privacy Commission is the government agency primarily responsible for enforcing data privacy law in the Philippines.

A borrower or affected third person may file a complaint when an online lending app:

  • Accessed contacts without proper consent;
  • Used contact information for harassment;
  • Disclosed debt to third persons;
  • Sent humiliating messages;
  • Failed to provide a privacy notice;
  • Ignored requests to stop unlawful processing;
  • Failed to respond to data subject requests;
  • Shared data with unauthorized collectors;
  • Posted personal data online;
  • Used personal data beyond legitimate purposes.

The complaint should include evidence such as screenshots, phone numbers, app name, company name, privacy policy, loan documents, and proof that messages were sent to third persons.

XX. The Role of the Securities and Exchange Commission

Many lending companies and financing companies are regulated by the Securities and Exchange Commission. The SEC has authority over registered lending and financing entities and may act against abusive practices, unregistered lending operations, or violations of relevant rules.

A borrower may complain to the SEC if the online lending app:

  • Is unregistered;
  • Uses abusive collection practices;
  • Harasses borrowers or contacts;
  • Misrepresents legal authority;
  • Charges unlawful or excessive fees;
  • Violates lending company rules;
  • Uses unfair or deceptive practices;
  • Operates under suspicious or multiple app names.

The SEC may impose sanctions depending on the violation, including penalties, suspension, revocation, or other regulatory action.

XXI. The Role of the Bangko Sentral ng Pilipinas

If the online lending service is connected to a bank, financing institution, electronic money issuer, payment platform, or BSP-supervised financial institution, complaints may also involve the Bangko Sentral ng Pilipinas.

The BSP may be relevant when the entity is a bank, credit card issuer, financing arm under BSP supervision, digital bank, e-wallet provider, or other covered financial institution.

However, many online lending apps are lending or financing companies under SEC jurisdiction rather than BSP-supervised banks.

XXII. The Role of the Philippine National Police and NBI Cybercrime Units

If the messages involve threats, extortion, cyber libel, identity theft, fake legal documents, hacking, unauthorized access, or other cybercrime-related conduct, the borrower may seek assistance from:

  • PNP Anti-Cybercrime Group;
  • NBI Cybercrime Division;
  • Local prosecutor’s office;
  • Local police station, depending on the offense.

Evidence preservation is important. Screenshots should show sender numbers, dates, times, and full message content. It is also useful to keep the original SMS, call logs, app notifications, emails, and recordings where lawfully obtained.

XXIII. Rights of the Borrower as Data Subject

A borrower whose data is processed by an online lending app has rights under data privacy law.

These include:

1. Right to be informed

The borrower has the right to know how personal data is collected, used, shared, and stored.

2. Right to access

The borrower may ask what personal data the lender holds and how it has been processed.

3. Right to object

The borrower may object to processing that is unlawful, excessive, or no longer necessary.

4. Right to correction

The borrower may request correction of inaccurate data.

5. Right to erasure or blocking

The borrower may request deletion, blocking, or removal of data when processing is unlawful, unauthorized, excessive, or no longer necessary, subject to lawful retention requirements.

6. Right to damages

The borrower may seek compensation if harmed by unlawful processing.

7. Right to file a complaint

The borrower may file a complaint with the proper regulator or court.

XXIV. Rights of Relatives, Bosses, and Other Contacts

The third persons who received messages also have rights. A boss, relative, co-worker, or friend whose contact information was accessed and used by the lending app may ask:

  • How the lender obtained their number;
  • Why they were contacted;
  • What personal data of theirs is being stored;
  • Whether their data was shared with collectors;
  • That the lender stop contacting them;
  • That their personal data be deleted or blocked, subject to lawful exceptions.

They may also file their own complaint if they were harassed, threatened, or had their personal data misused.

XXV. What the Borrower Should Do Immediately

A borrower experiencing harassment should act carefully and preserve evidence.

Step 1: Do not delete messages

Keep all SMS, emails, chat messages, call logs, and app notifications.

Step 2: Take screenshots

Screenshots should show:

  • Sender number or account;
  • Date and time;
  • Full message;
  • Recipient;
  • App name, if visible;
  • Threats or disclosures.

Step 3: Ask recipients to save proof

The boss, relatives, or friends who received messages should also preserve screenshots and original messages.

Step 4: Identify the lender

Record:

  • App name;
  • Registered company name;
  • Website;
  • App store listing;
  • Email address;
  • Collector name;
  • Collection agency name;
  • Phone numbers used;
  • Loan agreement;
  • Privacy policy;
  • Terms and conditions.

Step 5: Send a written demand to stop unlawful contact

The borrower may send a formal message demanding that the lender stop contacting third persons and communicate only through authorized channels.

Step 6: File complaints if harassment continues

Depending on the facts, complaints may be filed with the National Privacy Commission, SEC, PNP or NBI cybercrime units, or other proper offices.

Step 7: Still address the debt

A privacy violation does not erase a valid debt. The borrower should separately address repayment, restructuring, dispute of charges, or legal defenses.

XXVI. Sample Demand Message to the Online Lending App

A borrower may send a message similar to this:

I demand that you immediately stop contacting my employer, relatives, friends, co-workers, and other third persons regarding my alleged loan obligation. Your disclosure of my personal and financial information to persons who are not parties to the loan is unauthorized, excessive, and violative of my privacy rights.

You are directed to communicate only with me through my registered number or email address. You are also directed to preserve all records of your data processing, collection messages, call logs, and disclosures to third persons.

If you continue contacting third persons, threatening me, or disclosing my personal information, I will file the appropriate complaints with the National Privacy Commission, the Securities and Exchange Commission, and other proper authorities.

This message should be modified according to the facts and should be sent through a channel that creates proof of sending.

XXVII. What Evidence Is Useful in a Complaint?

Strong evidence includes:

  • Screenshots of messages sent to the borrower;
  • Screenshots of messages sent to boss, relatives, friends, or co-workers;
  • Statements from recipients confirming they received the messages;
  • Call logs showing repeated calls;
  • Voice recordings, if lawfully obtained;
  • App screenshots showing permissions requested;
  • Copy of the loan agreement;
  • Copy of privacy policy and terms;
  • Proof of payment or loan dispute;
  • Demand messages sent to the lender;
  • Response from the lender;
  • List of phone numbers used by collectors;
  • App store page or website of the lending app;
  • SEC registration information, if available;
  • Any public posts made by the collector.

Evidence should be organized chronologically.

XXVIII. Possible Remedies

Depending on the case, remedies may include:

A. Regulatory complaint

A complaint may lead to investigation, orders to stop unlawful processing, penalties, or sanctions.

B. Cease and desist or takedown request

The borrower may request that the lender stop contacting third persons and remove any public posts.

C. Civil action for damages

If the borrower suffered reputational harm, emotional distress, job consequences, or other damage, a civil action may be considered.

D. Criminal complaint

If messages contain threats, defamation, coercion, identity misuse, or cybercrime elements, criminal remedies may be available.

E. Administrative sanctions

Regulators may suspend, revoke, penalize, or otherwise sanction lending companies depending on the violation.

F. Data subject rights request

The borrower and affected contacts may demand access, correction, deletion, blocking, or information about data sharing.

XXIX. Does a Data Privacy Violation Cancel the Loan?

Usually, no.

A lender’s abusive collection practice does not automatically extinguish a valid loan. The borrower may still owe the principal, lawful interest, and lawful charges.

However, unlawful collection may:

  • Support a separate complaint;
  • Lead to penalties against the lender;
  • Support a claim for damages;
  • Affect the enforceability of abusive fees or terms;
  • Help the borrower negotiate;
  • Support defenses against unconscionable or illegal charges;
  • Expose the lender or collector to liability.

Borrowers should avoid assuming that harassment means the debt no longer exists. The better approach is to challenge the abusive conduct while separately resolving or disputing the loan.

XXX. Can the Boss or Relative Sue or Complain?

Yes, depending on the facts.

A boss, relative, or friend who received improper messages may complain because their own personal information was processed and they were subjected to unwanted contact. They may also be witnesses in the borrower’s complaint.

If the message insulted, threatened, or harassed them directly, they may have independent remedies.

For example, a relative who receives repeated threats demanding payment for a debt he or she did not incur may complain for harassment or privacy violations.

XXXI. Employer Response to Collection Messages

An employer who receives a message about an employee’s debt should handle it carefully.

The employer should not:

  • Publicly announce the debt;
  • Discipline the employee solely based on an unverified collector message;
  • Share the message with co-workers unnecessarily;
  • Deduct salary without lawful authority;
  • Threaten termination because of a private debt;
  • Pay the debt from company funds unless authorized.

The employer may:

  • Inform the employee privately;
  • Preserve the message as evidence;
  • Tell the collector not to contact the workplace;
  • Block or report the number;
  • Refer the matter to HR or legal if workplace disruption occurs.

Private debts are generally personal matters unless they directly affect work, involve fraud against the employer, or are subject to lawful payroll deduction or court process.

XXXII. Special Issues for Government Employees

If the borrower is a government employee, collection messages sent to supervisors may cause reputational harm and workplace issues. However, lenders still cannot casually disclose private loan information to government offices.

A collector may threaten administrative complaints, but nonpayment of a private loan is not automatically an administrative offense. The facts matter. Fraud, dishonesty, or court findings may have different consequences, but mere inability to pay should not be exaggerated into a disciplinary case.

XXXIII. Special Issues for Teachers, Nurses, Seafarers, BPO Workers, and OFWs

Certain workers are especially vulnerable because reputation and employment records are important.

Online lenders may target:

  • Teachers by messaging school heads;
  • Nurses by messaging hospitals;
  • Seafarers by messaging manning agencies;
  • BPO workers by messaging HR;
  • OFWs by messaging recruiters or family members;
  • Small business owners by messaging customers or suppliers.

Such conduct may increase damages because it can harm livelihood, contracts, professional reputation, and family relationships.

XXXIV. Public Posting on Social Media

Some collectors threaten to post the borrower’s photo, ID, or debt information online. This is highly risky and may create liability.

Public posting may involve:

  • Unauthorized disclosure of personal information;
  • Cyber libel;
  • Harassment;
  • Identity misuse;
  • Violation of platform rules;
  • Civil damages.

Even private group chats may count as disclosure to third persons. The more people who receive the information, the stronger the argument that the borrower was publicly shamed.

XXXV. Group Chats Created by Collectors

Some collectors create group chats including the borrower, relatives, co-workers, and friends. They then post accusations or demands for payment.

This is particularly abusive because it combines:

  • Unauthorized disclosure;
  • Public shaming;
  • Collection pressure;
  • Use of third-party data;
  • Possible defamatory publication;
  • Psychological harassment.

Screenshots of group chats are powerful evidence because they show the recipients, message content, timestamps, and intent to expose the borrower.

XXXVI. Fake Legal Notices and Fake Government Identity

Some online collectors send documents that look like court orders, subpoenas, warrants, barangay notices, police blotters, or prosecutor letters.

This may be unlawful if the documents are fake, misleading, or used to intimidate. Borrowers should verify any alleged legal document directly with the issuing court or office.

A legitimate legal notice should identify the real court, case number, parties, date, and authorized officer. A collector cannot create a fake “warrant” or “subpoena” to force payment.

XXXVII. Collection at Unreasonable Hours

Repeated calls or texts late at night, early morning, during work hours, or during family emergencies may support a finding of harassment.

A single reminder may be lawful. Repeated messages intended to annoy, shame, or intimidate are different.

Frequency matters. A borrower should document:

  • Number of calls per day;
  • Time of calls;
  • Numbers used;
  • Whether calls continued after a stop request;
  • Whether calls were made to third persons;
  • Whether threats were made.

XXXVIII. When the Borrower Gave the Relative as Reference

If the borrower listed a relative as a reference, the lender may argue that it had permission to contact that relative. But the scope remains limited.

A reference may be contacted to verify identity or contactability. The collector should not:

  • Demand payment from the reference;
  • Threaten the reference;
  • Shame the borrower;
  • Reveal unnecessary loan details;
  • Claim the reference is liable;
  • Keep calling after being told to stop;
  • Use abusive language.

A reference is not a guarantor unless the reference expressly signed a legal undertaking to be liable.

XXXIX. When the Boss Was Listed as Character Reference

Listing a boss as reference does not automatically authorize full disclosure of loan delinquency.

A lender may verify employment or contact details, subject to lawful basis and proportionality. But telling the boss about default or asking the boss to discipline the borrower is generally excessive unless the employer is legally involved in the loan.

XL. Spouses and Family Members

A spouse or family member is not automatically liable for an online loan. Liability depends on law, marital property rules, benefit to the family, signatures, guarantees, and surrounding facts.

Even when a spouse may have some legal interest, collectors should not harass or threaten family members. The proper remedy is legal collection, not intimidation.

XLI. Minors and Vulnerable Contacts

If collectors message minor children, elderly parents, sick relatives, or vulnerable persons, the conduct may be viewed more seriously.

Contacting a borrower’s child to shame or pressure the parent is abusive. Messaging elderly parents with threats may cause emotional harm and may strengthen a complaint.

XLII. Data Sharing With Collection Agencies

If the lender shares borrower data with a collection agency, the lender should ensure that the sharing is lawful, disclosed, and protected.

Important questions include:

  • Was the collection agency identified in the privacy notice?
  • Was the sharing necessary?
  • Was there a data processing agreement?
  • Was the agency trained in privacy compliance?
  • Did the agency receive only necessary data?
  • Did the agency use data only for authorized purposes?
  • Did the lender supervise the agency?
  • Were third-party contacts included in the shared data?

Improper outsourcing can create liability.

XLIII. Data Retention After Loan Payment

After the loan is paid, the lender should not keep personal data indefinitely unless there is a lawful reason. Borrowers may request deletion or blocking of data no longer necessary, subject to legal retention obligations.

Collectors should also stop collection messages after payment. Continuing to contact third persons after payment may be further evidence of unlawful processing or harassment.

XLIV. If the Loan Is Fraudulent or the Borrower Did Not Apply

Some people discover that a loan was taken under their name through identity theft or unauthorized use.

If the borrower did not apply for the loan, the person should:

  • Immediately dispute the loan in writing;
  • Demand proof of application;
  • Request copies of data used;
  • Ask how identity verification was done;
  • File a police or cybercrime report if identity theft is suspected;
  • Notify regulators;
  • Request blocking of fraudulent data processing;
  • Preserve all messages and evidence.

In such cases, contacting the person’s boss or relatives is even more harmful because the underlying debt may be false.

XLV. If the Borrower Is Actually Delinquent

Even if the borrower is truly overdue, the lender must still follow the law.

The borrower should:

  • Ask for a statement of account;
  • Verify principal, interest, penalties, and fees;
  • Check whether charges are lawful and agreed;
  • Offer a payment plan if possible;
  • Communicate in writing;
  • Avoid abusive collectors by demanding formal channels;
  • Pay through official channels only;
  • Keep receipts;
  • Avoid giving new permissions to unknown apps;
  • File complaints for unlawful collection while addressing the debt.

Being delinquent does not remove the borrower’s right to privacy and dignity.

XLVI. Practical Complaint Outline

A complaint may be organized as follows:

  1. Name and contact details of complainant;
  2. Name of lending app and company;
  3. Loan details;
  4. Timeline of events;
  5. Description of unlawful access to contacts;
  6. Description of messages sent to borrower;
  7. Description of messages sent to boss, relatives, or friends;
  8. Explanation of harm suffered;
  9. Laws or rights violated;
  10. Relief requested;
  11. Evidence list;
  12. Verification or certification, if required by the receiving office.

Requested relief may include:

  • Investigation;
  • Order to stop contacting third persons;
  • Deletion or blocking of unlawfully processed contact data;
  • Penalties;
  • Damages, where proper;
  • Sanctions against the lender or collection agency;
  • Takedown of posts;
  • Confirmation of data shared and recipients.

XLVII. Sample Evidence Timeline

A clear timeline helps regulators understand the case.

Example:

  • 1 March 2026 – Borrower downloaded the app and applied for a loan.
  • 2 March 2026 – Loan was released.
  • 15 March 2026 – Borrower missed due date.
  • 16 March 2026, 8:00 AM – Collector texted borrower threatening to contact employer.
  • 16 March 2026, 9:30 AM – Borrower’s boss received a message stating borrower had unpaid loan.
  • 16 March 2026, 10:00 AM – Borrower’s mother received a message calling borrower a scammer.
  • 16 March 2026, 11:00 AM – Collector created group chat with relatives.
  • 17 March 2026 – Borrower demanded that lender stop contacting third persons.
  • 18 March 2026 – Collector continued sending messages to co-workers.

A timeline should be supported by screenshots.

XLVIII. Sample Data Privacy Rights Request

A borrower may send a written request such as:

I am exercising my rights as a data subject. Please provide the personal data you hold about me, the source of such data, the purposes of processing, the recipients or categories of recipients to whom my data has been disclosed, and the identity of any collection agency or third party that processed my data.

I also request that you stop processing my personal data and the personal data of my contacts for harassment, public shaming, or third-party collection messages. Please delete or block all contact-list data that is not necessary for any lawful purpose.

This request should be sent to the company’s official email or data protection contact, if available.

XLIX. Defenses Commonly Raised by Lending Apps

Online lending apps may raise several defenses.

1. “The borrower consented.”

This may fail if consent was not informed, specific, freely given, or proportionate.

2. “The contact was listed as a reference.”

A reference is not a debtor. The scope of contact is limited.

3. “We only reminded the borrower.”

This fails if the messages were sent to third persons or contained threats, insults, or disclosures.

4. “The collector acted alone.”

The lender may still be liable if the collector acted within collection operations or used data provided by the lender.

5. “The borrower really owes money.”

A valid debt does not justify unlawful disclosure or harassment.

6. “The message did not state the loan amount.”

Even saying the borrower has an unpaid loan may disclose private financial information.

7. “The contacts were publicly available.”

A phone number being known to the borrower does not make it freely usable for debt shaming.

L. Best Practices for Online Lending Companies

A compliant online lending company should:

  • Collect only necessary personal data;
  • Avoid accessing the full contact list;
  • Use clear privacy notices;
  • Obtain valid and specific consent where needed;
  • Limit collection communications to the borrower and legally responsible parties;
  • Train collectors on lawful practices;
  • Prohibit threats, insults, and shaming;
  • Monitor collection agencies;
  • Keep records of data sharing;
  • Provide data subject rights channels;
  • Stop processing upon valid objection where required;
  • Secure borrower data;
  • Avoid fake legal threats;
  • Respect human dignity in collection.

Responsible lending includes responsible collection.

LI. Best Practices for Borrowers

Borrowers should:

  • Read app permissions before installing;
  • Avoid apps requiring unnecessary contact access;
  • Check if the lender is registered;
  • Save loan agreements and screenshots;
  • Pay through official channels only;
  • Avoid giving access to contacts if unnecessary;
  • Use written communication;
  • Ask for breakdown of charges;
  • Never ignore legitimate demand letters;
  • File complaints for abusive conduct;
  • Warn references before listing them;
  • Avoid naming bosses or relatives unless necessary;
  • Keep proof of payment.

Borrowers should also avoid taking multiple short-term loans from unverified apps because this increases exposure to abusive collection ecosystems.

LII. Legal and Practical Conclusion

An online lending app that texts a borrower’s boss, relatives, co-workers, friends, or phone contacts about an unpaid loan may be violating Philippine data privacy law and related rules on fair debt collection. The violation becomes stronger where the message discloses the debt, uses threats or insults, shames the borrower, pressures third persons to pay, or relies on contact-list data obtained through broad app permissions.

A lender has the right to collect a valid debt, but that right must be exercised lawfully. The borrower’s financial information is not public property. A boss, relative, or friend is not automatically part of the loan transaction. A phone contact is not automatically a guarantor. A reference is not automatically liable. Consent to use an app is not consent to humiliation.

For borrowers, the best response is to preserve evidence, demand that unlawful third-party contact stop, exercise data privacy rights, file appropriate complaints, and address the debt separately through lawful channels. For lenders, the safest rule is clear: collect debts directly, respectfully, proportionately, and without weaponizing personal data.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login