Right to Erasure Under the Philippine Data Privacy Act: How to Request Data Deletion from Lenders

Updated for Philippine context and practice. This article is legal information, not legal advice.

1) The legal backbone

Republic Act No. 10173 (Data Privacy Act of 2012, “DPA”) and its Implementing Rules and Regulations (IRR) give every data subject in the Philippines the right to erasure or blocking of personal data. For lenders (banks, financing and lending companies, micro-finance institutions, credit card issuers, and digital loan apps), that right operates alongside sector-specific duties under banking, anti-money laundering, tax, and corporate laws. In practice, erasure means the lender must delete, anonymize, or make your data permanently inaccessible when legal grounds exist—unless another law requires them to keep it.

What counts as “personal data” here?

  • Identifiers (name, mobile number, government IDs, selfie/KYC images, biometrics)
  • Financial and transactional data (loan applications, payment histories, account numbers, card PANs—usually tokenized)
  • Device and app data (advertising IDs, device fingerprints, geolocation, call recordings)
  • Contact lists and photos (if you granted an app permission—often unnecessary and contestable)

2) When you can demand deletion (or blocking)

Under the DPA and IRR, you may invoke erasure or blocking when any of the following applies:

  1. The data is no longer necessary for the purpose it was collected (e.g., a declined loan application from years ago that’s not needed for legal retention).
  2. Processing is unlawful or data was unlawfully obtained (e.g., an app scraped your contacts without a true legal basis).
  3. You withdrew consent and no other legal basis applies.
  4. The data is inaccurate, outdated, incomplete, or excessive, and correction is not sufficient or practicable.
  5. The purpose is unauthorized, such as using your data for marketing or “contact-shaming” unrelated to debt collection.

Important: If another law requires retention (e.g., anti-money laundering, bank secrecy compliance, tax audits, ongoing litigation or regulatory investigations), the lender may decline immediate deletion but must restrict processing to that retention purpose and stop using the data for anything else (like marketing).

3) Limits and lawful refusals lenders may raise

  • Statutory retention: Anti-Money Laundering rules generally require lenders to keep customer identification and transaction records for a fixed period (commonly five years, extended if there’s a case or investigation). Tax and corporate laws may also impose retention (often up to 10 years for books/records).
  • Legal claims/defense: If there’s a pending collection case, arbitration, or investigation, lenders can keep what they reasonably need to establish or defend claims—but should freeze other uses.
  • Credit reporting: Lenders may have submitted your credit data to the Credit Information Corporation (CIC) and/or private credit bureaus. Deleting data at the lender does not automatically purge records held by these entities. They each have their own correction/dispute processes and retention windows.
  • Backups and disaster recovery: A lender can keep point-in-time backups if technically necessary, but must (a) stop active use, (b) label data as “do not restore/use”, and (c) ensure eventual overwriting per their retention schedule.

4) What “erasure” should look like in practice

Depending on systems and legal constraints, compliant outcomes include:

  • Permanent deletion from production systems
  • Anonymization (irreversible de-identification) if deletion isn’t feasible
  • Blocking/restriction: moving data to a quarantined state usable only for the specific legal retention purpose
  • Propagation to processors and affiliates: instructing cloud vendors, call centers, collectors, and analytics providers to mirror the action
  • Third-party notice: where feasible, noticing other recipients (e.g., marketing partners) to delete or stop using the data

5) How to request deletion from a lender (step-by-step)

  1. Gather references. Have your full name, registered mobile/email, account/loan number(s), and government ID handy. If this involves a loan app, note the app name, publisher, and date installed.
  2. Identify the specific data you want erased or blocked and why (e.g., “no longer necessary,” “unlawfully obtained,” or “consent withdrawn”).
  3. Find the Data Protection Officer (DPO). Check the lender’s privacy notice, app store listing, or website footer for DPO email/postal address and any data rights request portal.
  4. Send a written request (email is fine) invoking your right to erasure/blocking under the DPA, stating the grounds and desired remedy (delete, anonymize, and/or restrict). Ask the lender to cascade the action to processors/affiliates and to confirm in writing.
  5. Attach identity proof (e.g., 1 valid ID). If acting through a representative, include an authorization letter and their ID.
  6. Ask for specifics. Request (a) what will be deleted vs. retained, (b) the legal basis for any retention, (c) where data is stored (including third parties), and (d) when deletion will complete (production and backups).
  7. Follow up. If you don’t hear back within a reasonable period (many organizations target 30 days in their privacy notices), send a reminder and ask for escalation to the DPO or compliance head.
  8. Escalate externally if needed (see §10): file a complaint with the National Privacy Commission (NPC) if the lender fails to act lawfully or in good faith.

6) Special lender scenarios

  • Declined or abandoned applications: Often deletable once retention windows lapse. If the lender says they “need it,” ask for the specific law/policy and exact retention period.
  • Marketing databases: If marketing was based on consent or “legitimate interests,” you can withdraw consent and/or object to processing—and ask for erasure from marketing lists immediately, regardless of loan status.
  • Contact-shaming and excessive permissions: If a loan app scraped your contacts, photos, or messages, challenge the lawful basis and demand erasure. You may also demand cease-and-desist for harassment and report to regulators.
  • Collections and third-party agencies: You can direct the lender to instruct its collectors to erase or cease using your data for non-essential purposes (e.g., social media shaming). The lender remains accountable for its processors.
  • CIC/credit bureau entries: Use the dispute/correction process of CIC or the bureau to update or suppress inaccurate or outdated negative entries. Ask the lender to notify CIC/bureaus of corrections where appropriate.

7) What to include in your erasure request (checklist)

  • ✅ Statement invoking your DPA right to erasure/blocking
  • Grounds (no longer necessary; unlawful; consent withdrawn; inaccurate/outdated/excessive)
  • Data categories to be erased (e.g., contact list, call recordings, geolocation, device/advertising IDs, marketing profiles, old applications)
  • Scope (production systems, data lakes, analytics, marketing platforms, vendors, affiliates, collectors)
  • Proof of identity (and authority if applicable)
  • Confirmation requested (written confirmation + description of what stays, legal basis, timeline, and cascade to third parties)

8) Sample erasure letter (you can copy-paste)

Subject: Data Privacy Act – Request for Erasure/Blocking of Personal Data To: [Data Protection Officer], [Lender/Company Name]

I am exercising my right to erasure/blocking under the Data Privacy Act of 2012 and its IRR.

Identity: • Full name: [ ] • Registered email/mobile: [ ] • Account/Loan No.: [ ] • Attached: government-issued ID (and authorization, if applicable)

Request: Please erase and/or block the following categories of my personal data from your systems and your processors/affiliates: [list categories].

Grounds: [Choose all that apply] • The data is no longer necessary for the purpose for which it was collected; • The data was unlawfully obtained or used for an unauthorized purpose; • I have withdrawn consent and no other lawful basis applies; • The data is inaccurate/outdated/excessive and I prefer erasure rather than correction.

Specific requests:

  1. Written confirmation of actions taken;
  2. Description of any data you must retain, with the legal basis and retention period;
  3. Confirmation that your processors/collectors/affiliates have been instructed to mirror the action;
  4. Target completion date for deletion/anonymization (including backups).

Thank you.

[Name] [Date]

9) Evidence to keep (for your records)

  • Copy of your request and all replies
  • Screenshots of the app permissions you previously granted (e.g., contacts)
  • Call logs/SMS/email showing marketing or harassment (if relevant)
  • Any privacy notices, DPO details, and retention policies you relied on

10) If the lender refuses or ignores you

  1. Ask for a written refusal stating the exact legal basis for retention or denial.
  2. Propose restriction as an interim measure (block data for anything other than the claimed legal basis).
  3. Complain to the National Privacy Commission (NPC). Typically, you’ll show that you first tried to resolve with the lender. Prepare your affidavit, evidence, and copies of correspondence. NPC can issue compliance orders, require corrective actions, and—in appropriate cases—refer or coordinate on possible criminal liability for unlawful processing or unauthorized disclosure.
  4. Other regulators: Depending on the entity, you may also raise concerns with the Bangko Sentral ng Pilipinas (BSP), Securities and Exchange Commission (SEC), or Department of Trade and Industry (DTI) for consumer protection issues.

11) Practical tips that boost success

  • Be precise. Name the systems/data types you want erased (e.g., “marketing CRM, data lake, analytics, and vendor-hosted dialer lists”).
  • Withdraw consent + object. Even if you rely on erasure, also withdraw marketing consent and object to processing for direct marketing or profiling.
  • Ask for “proof of action.” Request deletion/anonymization tickets, screenshots, or vendor instructions (with sensitive details redacted).
  • Challenge excessive collection. If a loan app demanded contacts, photos, or microphone access, question the necessity and legal basis, and demand erasure.
  • Mind credit reporting paths. If outcomes hinge on your credit file, start a parallel dispute with CIC/credit bureaus.

12) Frequently asked questions (Philippine lending context)

Q: Can a lender keep my data after I finish paying the loan? A: Yes, for legally mandated retention (e.g., AML, audit, tax, risk). They must stop using it for new purposes (like marketing) and erase what’s not required once retention lapses.

Q: Can I force deletion of my missed-payment history? A: Not if a law or a legitimate basis requires keeping accurate credit history. You can contest inaccuracies or outdated entries and demand correction; for credit bureaus, use their dispute process.

Q: What about call recordings and GPS data collected by a loan app? A: If not necessary for a disclosed, lawful purpose, you may demand erasure. If the lender claims necessity, ask for the specific purpose, legal basis, and retention period, and push for restriction until resolved.

Q: They said “we can’t delete backups.” A: Backups may be kept for continuity, but the lender must (1) block active use, (2) prevent restoration of your records to production, and (3) delete on the next regular overwrite per policy.

Q: How long should a response take? A: The DPA requires action within a reasonable period. Many organizations commit to around 30 days in their privacy notices. Ask for a clear timeline and escalate if they’re non-responsive.

13) One-page action plan (summary)

  1. List the data you want erased + state grounds.
  2. Email the DPO using the template in §8, with your ID.
  3. Require confirmation and vendor cascade.
  4. Accept lawful retention (if cited) but insist on restriction.
  5. Dispute credit entries separately with CIC/bureaus if needed.
  6. Escalate to NPC and sector regulators if the lender stonewalls.

Key takeaway

Your right to erasure under the DPA is real and enforceable, but it co-exists with lenders’ statutory retention duties. Frame your request to (a) erase what can be erased, (b) restrict what must stay, and (c) stop any non-essential uses—and insist on documented follow-through across the lender’s vendors and affiliates.

Disclaimer: This content is not legal advice and may involve AI assistance. Information may be inaccurate.

Privacy Policy

Terms of Use

Lawyer Login

 
 
Privacy Policy         Terms of Use         Lawyer Login