How to document a data-privacy violation for an NPC complaint

Map your facts to a Data Privacy Act provision. The most common online-lending and motor-vehicle-finance violations are: unauthorised collection of contacts and SMS history (Section 12, lawful processing); processing beyond the disclosed purpose (Section 11, transparency); unlawful disclosure to third parties such as friends, family, or employers (Section 32); and processing of sensitive personal information without specific consent (Section 13).

A single fact pattern often hits more than one section. Contact-list scraping that is then used for harassment messages violates Sections 11, 12, and 32 simultaneously. List each section and tie each piece of evidence to it.

If the app is still installed, screenshot the app's permissions screen on Android (Settings → Apps → [App name] → Permissions) and on iOS (Settings → [App name]). Both surfaces show what the app currently has access to. Compare with the app's stated privacy policy.

If the app is uninstalled, the Play Store and App Store listings preserve the data-safety section. Screenshot it. The Wayback Machine may have an archived copy of the older privacy policy if the company has updated it since your install — search web.archive.org for the Play Store URL.

The strongest evidence is from your contacts, not from you. If anyone in your phonebook received a message about your loan, ask them to: forward you a screenshot showing sender, recipient, date, time, and content; record their relationship to you ("college classmate, last contact 2019"); confirm they did not consent to receive financial information about you.

A sworn statement is not required at intake but strengthens the file at adjudication. NPC's Complaints and Investigation Division has docketed cases on the strength of three or more third-party affidavits.

RA 10173 Section 16 gives every data subject the right to access the personal information held about them and to demand its erasure. Under NPC Circular 16-03 the controller has fifteen days to respond. Send a written DSAR to the company's Data Protection Officer (DPO). Most companies list the DPO email on their privacy policy; if none is listed, that absence is itself a violation (NPC Advisory 17-01 requires every personal-information controller to designate and publish a DPO).

The DSAR demands: a list of all personal data held; the source of each item; the parties it has been disclosed to; the retention period; and the legal basis for processing. After fifteen days, the company's response (or non-response) becomes evidence in your NPC complaint.

File via privacy.gov.ph ("File a Complaint") or by email to complaints@privacy.gov.ph. The filing requires: complainant identification, respondent identification (corporate name and registration number), a verified statement of facts, the specific Data Privacy Act provisions allegedly violated, the relief requested, and supporting documents. NPC requires the complaint to be verified — notarisation is required for formal docketing.

Relief that NPC can grant: a Cease and Desist order against the processing; an order to delete the data; a Compliance Order with detailed remediation steps; an administrative fine (up to ₱5,000,000 per violation under the 2022 NPC Circular on Administrative Fines); and a referral to the Department of Justice for criminal prosecution.

NPC's Complaints and Investigation Division acknowledges within five days. The case is evaluated; mediation is offered within thirty days; if no settlement, a formal investigation begins. The 2021 takedown of JuanHand and three other apps shows that NPC will act on aggregated complaints quickly when documentation is strong.

Coordinate with parallel SEC and BSP filings. NPC, SEC, and BSP do not formally share complaint files but each agency's case officers will give weight to a clearly cross-referenced filing. Maintain a single evidence pack and update all three agencies as new evidence appears.