Requesting Data Deletion from Online Lending Apps in the Philippines

Requesting Data Deletion from Online Lending Apps in the Philippines

A practical, law-grounded guide for borrowers and consumers (General information only; not a substitute for legal advice.)

1) Why this matters

Online lending apps (“OLAs”) often collect far more data than is needed—contact lists, photos, SMS logs, location, device IDs. In the Philippines, you have legal rights to stop unnecessary processing and demand deletion (erasure or blocking) of personal data—especially when it’s being used for harassment or for purposes beyond your consent.

2) The legal framework (Philippine context)

Core law

  • Republic Act No. 10173 – the Data Privacy Act of 2012 (DPA) and its Implementing Rules and Regulations (IRR).

    • Recognizes data subject rights: to be informed, object, access, correct, erasure/blocking, data portability, and damages.
    • Applies to personal information controllers (PICs) and processors (PIPs) established in the Philippines, and even to those outside the country if they use equipment in the Philippines or maintain a link here.

Sector rules you should know

  • Securities and Exchange Commission (SEC) rules for lending and financing companies (including OLAs):

    • Prohibition on unfair debt collection practices (e.g., threats, obscene language, public shaming, contacting people in your phonebook).
    • Guidelines for OLAs (registration, transparency, complaint channels, disclosures).

  • Bangko Sentral ng Pilipinas (BSP) consumer protection regime applies to banks and BSP-supervised institutions; if your lender is a bank or e-money issuer, you also have BSP complaint routes.

  • AMLA (RA 9160, as amended): lenders must retain KYC/transaction records for a statutory minimum period (commonly at least 5 years from the last transaction or account closure).

  • Credit Information System Act (RA 9510): lenders may be required to submit and retain basic credit data with the Credit Information Corporation (CIC). This affects deletion requests (see §6).

Key idea: Your right to deletion is strong, but not absolute. Lenders can keep only what the law requires (e.g., AMLA, tax/audit retention, compliance, defense of claims). Outside those limits, unnecessary or unlawful data must be deleted or blocked.

3) What “deletion” really means

Under the DPA/IRR, “erasure or blocking” includes:

  • Permanent deletion of data from active systems;
  • Blocking or restriction so the data cannot be used for any purpose;
  • Anonymization (irreversible de-identification).

Backups & logs: Lenders may keep data in archival backups for limited, clearly stated periods, but must (a) stop using it for any purpose and (b) erase it on the next routine purge.

4) When you can demand deletion

You can ask a lender/app to erase or block your data if any of the following apply (common DPA grounds):

  • Data was processed without valid consent or for purposes incompatible with what you were told (e.g., scraping your contacts to shame you).
  • Data is excessive or no longer necessary for the service (e.g., camera roll, contact list, geolocation after loan is closed).
  • Data is inaccurate or outdated and the controller refuses to correct it.
  • Processing violates the DPA/IRR (unfair collection, insufficient notice/security).
  • You withdraw consent and no other lawful basis justifies continuing to process that specific data.

5) When a lender can say “no” (common, narrow exceptions)

A lender may refuse (in whole or part) only to the extent necessary to:

  • Comply with a legal obligation (AMLA, tax, corporate, audit, SEC record-keeping).
  • Establish, exercise, or defend legal claims (e.g., a pending case over a loan).
  • Fulfill credit reporting obligations (CIC)—but even then, you can dispute or correct entries rather than delete them outright.

Important: Even if an exception applies, the lender must explain it, and still delete or block all non-required data (like scraped contacts, photos, location, device metadata that’s not legally required).

6) Special data types in lending apps

  • Contact list / call/SMS logs / photos / microphone / location. Almost never strictly necessary to grant or collect for loan servicing. If used to harass or “name-and-shame,” processing is likely unlawful. You can demand immediate deletion and cessation of use, and report to SEC/NPC if they refuse.

  • KYC data (IDs, selfies, liveness checks). Portions may be retained for AMLA/record-keeping within statutory periods, but must be secured, minimized, and not reused for marketing or harassment. You can still seek restriction (no use beyond compliance).

  • Credit data submitted to the CIC. You usually can’t force CIC to delete accurate, lawful history, but you can:

    • Dispute inaccuracies;
    • Require the lender to update/rectify;
    • Ask for suppression of data processed unlawfully.

7) How to request deletion—step by step

A) Prepare

  1. Identify the true controller. The app name may differ from the lending/financing company behind it. Note both.

  2. Gather evidence: screenshots of app permissions, messages, collection notices, harassment logs, receipts (if loan is closed or current), your IDs (redact unnecessary fields).

  3. Decide your ask:

    • Full deletion of unnecessary data (contacts, photos, device data, analytics).
    • Restriction of KYC/transaction data to bare legal compliance only.
    • Confirmation of third-party deletion (e.g., cloud providers, marketing partners).
    • Cessation of unfair collection tactics and a record of system changes.

B) Send a formal DPA request (DSAR)

  • Address it to the company’s Data Protection Officer (DPO) (listed in the privacy notice) and to any processor that contacted you.

  • Include: your full name, contact details, app account/loan reference, proof of identity (minimized), and the legal bases for deletion.

  • Ask for:

    • A copy of all personal data they hold (optional but helpful);
    • Specific deletion of data items listed;
    • Restriction of any data they claim must be kept (state the legal basis, retention period, and systems where stored);
    • Deletion from third parties to whom the data was disclosed;
    • A written certificate of deletion/restriction and the date it was carried out.

Timeline: The DPA expects controllers to act within a reasonable period. In practice, many organizations follow a ~30-day window for DSARs. If they need more time, they should explain why and what remains outstanding.

C) Technical hygiene (you control this part)

  • Revoke app permissions (Contacts, SMS, Location, Photos) in your phone’s settings.
  • Uninstall the app after you submit your request (keep screenshots and documents first).
  • Reset advertising IDs in your device privacy settings.
  • Change any reused passwords and enable 2FA for your email/financial accounts.

8) Template you can reuse (adapt as needed)

Subject: Data Deletion and Restriction Request under the Philippine Data Privacy Act (RA 10173)

Hello DPO/Privacy Team,

I am a user/borrower of [App/Lender Name] with account/loan reference [xxxxx]. Pursuant to the Data Privacy Act of 2012 and its IRR, I am exercising my rights to erasure/blocking and restriction of processing.

Please delete all personal data that are not legally necessary to retain, including (as applicable):

  • Device and app data (advertising IDs, device IDs, logs not required by law)
  • Contact list, call/SMS logs, location data, photos/media, microphone recordings
  • Analytics/marketing identifiers and profiles
  • Any copies shared with third parties or service providers for these purposes

If you believe certain data must be retained, please restrict their use strictly to legal compliance (e.g., AMLA/SEC/BIR) and provide:

  1. The legal basis and specific retention period;
  2. The systems/locations where the data are stored;
  3. The purposes for which they may still be accessed.

Please also:

  • Confirm deletion from third parties with whom you shared my data for non-essential purposes;
  • Provide a Certificate of Deletion/Restriction indicating the date and scope;
  • Provide a summary of my personal data that you currently hold (categories, sources, recipients).

I withdraw any consent for processing beyond loan servicing and legal compliance. Please stop all collection and harassment communications, including contacting any third parties from my phonebook or elsewhere.

Kindly respond within a reasonable period and no later than 30 days from receipt. If you require limited information to verify my identity, please specify exactly what is needed.

Sincerely, [Your Name] [Email/Phone] [Date]

(Attach: redacted ID showing name/photo; relevant screenshots)

9) If the app refuses, delays, or continues harassment

Escalation map

  • National Privacy Commission (NPC): File a complaint for unlawful processing, failure to honor rights, or harassment involving personal data (e.g., “contact list shaming”). Provide your request, timeline, the app’s reply (or lack of it), and evidence.
  • SEC (for lending/financing companies): Report unfair debt collection (threats, public shaming, contacting your contacts/co-workers). SEC can fine, suspend, or revoke licenses.
  • BSP (for banks/BSP-supervised lenders): Use the BSP consumer assistance channel.
  • CIC dispute (credit reports): If inaccurate data persists, file a dispute through the lender and, if needed, with the Credit Information Corporation.
  • NTC/telecom & law enforcement: For mass spam/harassment calls or threats, also consider NTC complaint routes and, in serious cases, police/NBI assistance.

Keep a paper trail: dates, copies of messages, call logs, witness statements, screenshots of app permissions, proof you sent your DSAR.

10) Practical boundaries & gotchas

  • Unpaid loans: You can still demand deletion of unnecessary data (e.g., contacts, location, photos) and restriction of what they claim they must keep. They may continue to process minimal data needed to enforce the loan lawfully, but harassment is not lawful.
  • Paid/closed loans: Strong case for deletion of everything except what a statute requires to keep (AMLA, tax/audit). Ask for the specific retention schedule.
  • Third-party processors (cloud, analytics): The controller must push down your deletion request and confirm completion.
  • Backups: Accept that full purge may occur at the next scheduled cycle; demand immediate restriction meanwhile.
  • Identity verification: Provide only what’s necessary; redact ID numbers/addresses if not needed.
  • Ongoing cases: If you’ve filed with NPC/SEC or there’s litigation, consider asking for restriction (legal hold) rather than total deletion to avoid spoliation issues—your lawyer can advise.

11) Frequently asked questions

Q: Can I force deletion from the CIC? A: Not usually if the entry is accurate and lawfully submitted. You can dispute inaccuracies, require updates, or seek suppression of data that was unlawfully obtained or processed.

Q: The app says I “consented” to contact-list access. A: Consent must be freely given, specific, informed, and evidenced. “Take-it-or-leave-it” consent to invasive permissions unrelated to lending is likely invalid. You can withdraw consent and demand deletion of those data.

Q: They claim they need everything for “legitimate interests.” A: Legitimate interests cannot override your rights where the data are excessive or the impact (e.g., harassment) is disproportionate. Ask for their legitimate interest assessment and demand minimization.

Q: They won’t respond. A: Send a final notice, then escalate to NPC (privacy) and SEC/BSP (conduct). Attach your evidence and timelines.

12) One-page checklist

  • Identify the controller (company behind the app) and the DPO.
  • Gather evidence (permissions, messages, logs, receipts).
  • Draft and send a DSAR asking for deletion/restriction + third-party deletion.
  • Set a 30-day response expectation; ask for a certificate.
  • Revoke permissions, uninstall app, reset ad IDs, change passwords.
  • If no resolution: NPC (privacy), SEC/BSP (collection conduct), CIC (credit dispute).
  • Keep a timeline of everything.

13) Final tips

  • Be specific about which data to delete and why they’re unnecessary.
  • Always request the legal basis for anything the lender insists on keeping, with a retention period and purpose limitation in writing.
  • Don’t send more personal data than needed to verify your identity.
  • If harassment occurred, include that fact—it strengthens the case for unlawful processing and regulatory action.

If you want, I can tailor a deletion letter to your exact situation (app name, what they collected, whether your loan is closed, and any harassment you’ve experienced).

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login