Questionnaire
Interesting Quizzes
中文 English
ESG at EVA
About Us Development of Sustainability Stakeholder Engagement
Management & Governance
Corporate Governance Sustainable Supply Chain Risk Management Intelligent Safety Reliable Service
Environmental Sustainability
Environmental Leadership Environment and Energy Management Green Aviation
Social Inclusion
Diversity & Inclusion Talent Retention & Development Human Rights & OSH Sustainable Society
Latest News
earth

Information Security and Privacy Protection Management Framework
EVA Air has been dedicated to establishing information security systems and complying with legal and regulatory requirements. To ensure independent oversight and checks in information security governance, the “Information Security and Privacy Management Division “is responsible for the management and supervision of information security and personal data protection. Additionally, through the establishment of the “Information Security and Privacy Protection Committee”, our goal is to appropriately balance risk management with business development.
Information Security and Privacy Management Division

The “Information Security and Privacy Management Division” is responsible for the planning of information security and personal information protection, compliance with regulations and norms, executions of ISMS, prevention and countermeasure of information security incidents and awareness training. The Division supervises implementation of policies by all departments, formulates and enforces detailed protocols based on operating requirements, and strengthens the information security management system through performance evaluations. The head of the Information Security and Privacy Management Division is the Chief Information Security Officer, who is responsible for the promotion of information security policies, resources allocation and reporting information security governance effectiveness and planning to executive management team and the board of directors.
Information Security and Privacy Protection Committee

The Information Security and Privacy Protection Committee was established in 2022. The CEO serves as the chairman, and the committee meets held every six months. The Committee, led by the CEO and all Department heads, reviews EVA Air’s information security and privacy protection policies and governs the implementation of ISMS. In order to fulfill the social responsibility and achieve the goal of corporate sustainability, the Committee will ensure the confidentiality, integrity and availability of information assets by deploying the efficacy and resilience from the ISMS.
Information Security Policy
EVA Air has formulated our information security policy to ensure the confidentiality, integrity and availability of information assets, and prevent internal and external threat whether it’s intentional or not. All personnel of the Company, business related suppliers with its employees, temporary employees, etc., shall abide the rules and procedures of the policy and relevant management mechanisms. The policy is disclosed on the official website to demonstrate the Company's commitment to upholding information security and personal privacy protection.

EVA Air Information Security Policy
 
Information Security Management System and Privacy Information Management System
EVA Air established our Information Security Management System and Privacy Information Management System in accordance with the ISO 27001 and ISO 27701 international standards. The scope of ISO 27001 verification covers areas such as flight safety, aviation security, core passenger and cargo service functions, personal data, and information infrastructure; and ISO27701 certification is introduced for important personal data within the aforementioned scope. At least one internal information security audit is conducted annually, focusing on independent verification of policy implementation and control mechanisms. Specific recommendations for improvement are provided based on audit findings. The responsible departments are required to complete necessary adjustments within a specified timeframe. Follow-up reports are submitted to ensure effective implementation and continuous improvement of the management system. Through verification by the British Standards Institution (BSI) and regular monitoring and review, we ensure the effectiveness of both system. Our current certification is valid until May 12, 2028.

Information Security and Privacy Protection Education, Training and Effectiveness
In order to establish basic information security mindset in employees and enhance their information security and privacy protection awareness, and mitigate information security incidents and its associated impact, we conduct social engineering drill and awareness training for all units both at home and abroad. Relevant news or information are also shared on the Company website from time to time. In addition, an online training course covering information security and privacy protection for all employees is organized every year. The stats of the 2024 training course demonstrates below:
All employee
Number of people completed the training(Note) 10,979 person
Training hours2 hours
Coverage rate 100 %
New employee
Number of people completed the training 1,033 person
Training hours1 hours
Coverage rate 100 %
Information technology personnel
Number of people completed the training 284 person
Training hours2 hours
Coverage rate 100 %
Information security personnel
Number of people completed the training 7 person
Training hours at least 12 hours per year
Coverage rate 100 %
 
Note:Trainees excludes resigning employees, employees on leave without pay, employees on long-term leave of absence, and personnel with special job attributes.

Reporting Channel and Procedure for Employees
All employees in the Company should immediately follow the reporting procedures when they notice an information security event has occurred. If the Information Security and Privacy Management Div. receives a report that constitutes an information security incident, it will be reported to the head of the Information Security and Privacy Management Div. and the severity of the incident will be classified. Based on the decision of the information security coordination counsel, the emergency response procedure will be initiated, and an information security contingency taskforce will be formed to estimate and mitigate the damages, formulate emergency handling methods, and discuss possible solutions.

Information security incident drills are divided into two types: personal information breach and ICT (Information and Communication Technology) security. The drills are conducted at least 5 times a year to ensure that when an information security incident occurs, all responsible units can grasp the information promptly through the notification process, make decisions immediately and take necessary contingency measures to reduce the degree of damage. The results achieved through conducting the drills include ensuring the suitability and availability of the emergency response procedures, enhancing the information security awareness and adaptability of employees, and strengthening the communication and coordination between the responsible units. Employees violating information security regulations and digital information system usage regulations will be punished in accordance with employee management regulations in accordance with the severity of the violation.

Privacy and Personal Data Protection
EVA Air respect for customer privacy, and abides by the operating locations’ relevant personal privacy protection regulations in regard to the collection, processing and use of customer information. EVA Air provides our members with services, while making every effort to protect their information, privacy and interests. Information on personal data collection and application, and the privacy protection and security statements are clearly stated in the “Privacy Policy and Cookies” on EVA Air’s website. When joining us as members, members must read and agree with EVA Air’s Privacy Policy & Cookies Terms and Conditions. EVA Air obtains customer consent before personal data collection, the purpose, categories, methods, usage and retention period are explained in detail by our privacy policy. We process and use personal data as per our privacy policy, and customers may exercise their data subject rights in accordance with applicable regulations. Data access is authorized only to necessary personnel with a need to know basis, with records and logs of data changes kept for internal control.

EVA Air’s privacy protection policy is applicable to all departments and individuals (including suppliers) that collect, process and use personal data. The policy specifically states that EVA Air’s collection, processing and use of personal data shall be in compliance with the Personal Data Protection Act, the EU General Data Protection Regulation (GDPR), the California Privacy Rights Act (CPRA), and other regulations related to personal data and privacy protections; and shall prevent the theft, alteration, damage, loss or divulging of personal data held. It also clearly stipulates that employees shall comply with personal data protection regulations, and that those found in violation shall be punished in accordance with the severity of the violation. Outsourced vendors found in violation shall be handled in accordance with the penalties stipulated in the contract. To ensure the implementation of information security and personal data protection, personal data collection, processing and utilization reviews have been included into the self-assessment items for annual internal control. Various review requirements have also been included into information security self-assessment items.

EVA Air’s privacy protection policy clearly states that the purpose of personal data collection is for the flight-booking process, establishment of ticket-related data, ticketing notifications, issuing itineraries, transportation management, providing consumer/passenger/membership services and management, handling payment issues and irregularities, baggage claims, product marketing, online shopping, inflight shopping, additional purchases, service, online advertising, and statistical surveys and analyses in order to improve service quality and strengthen personalized services. Furthermore, information is collected with passenger consent. In 2024, there was no incident of secondary use of the personal data of passengers. Customers can exercise their personal data rights through the EVA Air website. They can request to delete personal data by downloading and completing an application form, and submitting the application form to EVA Air offices worldwide.