What are the penalties for a lender that abuses my personal data?
Last updated: 2026-07-11 · Educational content; not legal advice.
Short answer
The Data Privacy Act (RA 10173) sets criminal penalties. Unauthorized processing of personal information is punished by imprisonment of one to three years and a fine of ₱500,000 to ₱2,000,000, rising to three to six years and up to ₱4,000,000 for sensitive personal information (§25). Malicious disclosure carries one year and six months to five years plus ₱500,000 to ₱1,000,000 (§31), and unauthorized disclosure carries one to three years plus ₱500,000 to ₱1,000,000 (§32). The National Privacy Commission can also impose administrative fines and order deletion, on top of any SEC sanctions for unfair collection.
Primary sources
Frequently asked
What's the difference between §25 and §32?
§25 (unauthorized processing) punishes processing personal data without a lawful basis or consent. §32 (unauthorized disclosure) punishes a controller who discloses your data to a third party without authority — for example, messaging your contacts about your debt. Both are crimes with imprisonment and fines under RA 10173.
Are the fines higher for sensitive data?
Yes. RA 10173 raises the penalty when sensitive personal information (e.g., health, government IDs, financial account data) is involved — for instance §25 goes up to three-to-six years and ₱4,000,000, versus one-to-three years and ₱2,000,000 for ordinary personal information.
Can the NPC fine the company directly?
Yes. Separate from the criminal penalties (which a court imposes after DOJ prosecution), the NPC can levy administrative fines under NPC Circular 2022-01 and order the company to stop and to delete data. The exact administrative fine depends on the circular's schedule and the company's income.
Take action
Got a similar problem?
File a complaint and we'll pre-fill BSP, SEC, DTI, and small-claims letters for you.
Contact-list scraping, unauthorized data use, and how to file with the NPC.