Information technology personnel
Number of people completed the training 272 person
Training hours2 hours
Coverage rate 100 %
Information security personnel
Number of people completed the training 7 person
Training hours at least 12 hours per year
Coverage rate 100 %
All employees in the Company should immediately follow the reporting procedures when they notice an information security event has occurred. If the Information Security and Privacy Management Div. receives a report that constitutes an information security incident, it will be reported to the head of the Information Security and Privacy Management Div. and the severity of the incident will be classified. Based on the decision of the information security coordination counsel, the emergency response procedure will be initiated, and an information security contingency taskforce will be formed to estimate and mitigate the damages, formulate emergency handling methods, and discuss possible solutions.
EVA Air has great respect for customer privacy, and abides by the operating locations’ relevant personal privacy protection regulations in regard to the collection, processing and use of customer information. EVA Air provides our members with services, while making every effort to protect their information, privacy and interests. Information on personal data collection and application, and the privacy protection and security statements are clearly stated in the “Privacy Policy and Cookies” on EVA Air’s website. When joining us as members, members must read and agree with
EVA Air’s Privacy Policy &
Cookies Terms and Conditions. EVA Air obtains customer consent before personal data collection, the purpose, categories, methods, usage and retention period are explained in detail by our privacy policy. We process and use personal data as per our privacy policy, and customers may exercise their data subject rights in accordance with applicable regulations. Data access is authorized only to necessary personnel with a need to know basis, with records and logs of data changes kept for internal control.
EVA Air’s privacy protection policy is applicable to all departments and individuals (including suppliers) that collect, process and use personal data. The policy specifically states that the EVA Air’s collection, processing and use of personal data shall be in compliance with the Personal Data Protection Act, the EU General Data Protection Regulation (GDPR), the California Privacy Rights Act, and other regulations related to personal data and privacy protections; and other relevant laws and regulations, and shall prevent the theft, alteration, damage, loss or divulging of personal data held. It also clearly stipulates that employees shall comply with personal data protection regulations, and that those found in violation shall be punished in accordance with the severity of the violation. Outsourced vendors found in violation shall be handled in accordance with the penalties stipulated in the contract. To ensure the implementation of information security and personal data protection, personal data collection, processing and utilization reviews have been included into the self-assessment items for annual internal control. Various review requirements have also been included into information security self-assessment items. EVA Air’s privacy protection policy clearly states that the purpose of personal data collection is for the flight-booking process, establishment of ticket-related data, ticketing notifications, issuing itineraries, transportation management, providing consumer/passenger/membership services and management, handling payment issues and irregularities, baggage claims, product marketing, online shopping, inflight shopping, additional purchases, service, online advertising, and statistical surveys and analyses in order to improve service quality and strengthen personalized services. Furthermore, information is collected with passenger consent. In 2022, there was no incident of secondary use of the personal data of passengers.
Customers can exercise their personal data rights through the EVA Air website. They can request to delete personal data by downloading and completing an application form, and submitting the application form to EVA Air offices worldwide.