Yes. That information (name, address and order) is protected by the Data Privacy Act.
First, as a business that collects this information, you are required to appoint a Data Privacy Officer (DPO) who will be responsible for keeping the data safe and private. Second, the law provides penalties if the information is misused.
In general, the use of the personal information is considered lawful if the provider has given consent for its use, and that it is necessary for the contract/transaction or other lawful purpose.
In addition: the purpose of the collection and use of personal information must be declared; and, the information should be:
It must be in writing. If you interact online there must be a form where the consent can be indicated.
The law provides a set of fines and period of imprisonment.
It depends on the details, but could be: imprisonment of one year to five years and a fine of Php500,000.00 to Php1,000,000.00.
The law defines “sensitive personal information” this way:
“Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or current health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.”
There are additional requirements and protections for “sensitive personal information”. For instance, if there is a breach of sensitive information, you are required to notify the National Privacy Commission. If you do not, there are penalties. Note: if your business handles sensitive personal information, it is highly recommended that you spend time to read through the materials provided by the National Privacy Commission, and/or to consult with a lawyer.
At minimum, you should have a standard consent form whenever you obtain personal information from your customers. You must also appoint a Data Privacy Officer. Considering the gravity of penalties for misuse of Data, if you are unsure if you are compliant with law, it is highly recommended that you take the time to study carefully the materials made available by the National Privacy Commission, and/or to consult with a lawyer.