earth

Information Security and Privacy Protection Management Framework
EVA Air has been dedicated to establishing information security systems and complying with legal and regulatory requirements. To ensure independent oversight and checks in information security governance, the “Information Security and Privacy Management Division “is responsible for the management and supervision of information security and personal data protection. Additionally, through the establishment of the “Information Security and Privacy Protection Committee”, our goal is to appropriately balance risk management with business development.

 
Information Security and Privacy Management Division

The “Information Security and Privacy Management Division” is responsible for the planning of information security and personal information protection, compliance with regulations and norms, executions of ISMS, prevention and countermeasure of information security incidents and awareness training. The Division supervises implementation of policies by all departments, formulates and enforces detailed protocols based on operating requirements, and strengthens the information security management system through performance evaluations. The head of the Information Security and Privacy Management Division is the Chief Information Security Officer, who is responsible for the promotion of information security policies, resources allocation and reporting information security governance effectiveness and planning to executive management team and the board of directors.

Information Security and Privacy Protection Committee

The Information Security and Privacy Protection Committee was established in 2022. The CEO serves as the chairman, and the committee meets held every six months. The Committee, led by the CEO and all Department heads, reviews EVA Air’s information security and privacy protection policies and governs the implementation of ISMS. In order to fulfill the social responsibility and achieve the goal of corporate sustainability, the Committee will ensure the confidentiality, integrity and availability of information assets by deploying the efficacy and resilience from the ISMS.


Privacy Policy
EVA Air has formulated its information security policy to ensure the confidentiality, integrity and availability of information assets, and prevent internal and external threat whether it’s intentional or not. All EVA employees, temporary workers, visitors and associated workers of service providers should abide by the norms and procedures of the policy. The policy is disclosed on the official website to demonstrate the Company's commitment to upholding information security and personal privacy protection.

EVA Air Privacy Policy
 
Information Security Management System 
EVA Air established our Information Security Management System in accordance with the ISO 27001 international standards. The scope of verification covers areas such as flight safety, aviation security, core passenger and cargo service functions, personal data, and information infrastructure. Through verification by the British Standards Institution (BSI) and regular monitoring and review, we ensure the effectiveness of this system. Our current certification is valid from December 23, 2022, to October 31, 2025.

Information Security and Privacy Protection Education, Training and Effectiveness
In order to establish basic information security mindset in employees and enhance their information security and privacy protection awareness, and mitigate information security incidents and its associated impact, we conduct social engineering exercises and awareness training for all units both at home and abroad. Relevant news or information are also shared on the Company website from time to time. In addition, an online training course covering information security and privacy protection for all employees is organized every year. The stats of the 2023 training course demonstrates below: 
 
All employee
Number of people completed the training(Note) 10,950 person
Training hours2 hours
Coverage rate 100 %
New employee
Number of people completed the training 1,260 person
Training hours1 hours
Coverage rate 100 %
Information technology personnel
Number of people completed the training 272 person
Training hours2 hours
Coverage rate 100 %
Information security personnel
Number of people completed the training 7 person
Training hours at least 12 hours per year
Coverage rate 100 %
 
Note:Trainees excludes resigning employees, employees on leave without pay, employees on long-term leave of absence, and personnel with special job attributes.

Reporting Channel and Procedure for Employees
All employees in the Company should immediately follow the reporting procedures when they notice an information security event has occurred. If the Information Security and Privacy Management Div. receives a report that constitutes an information security incident, it will be reported to the head of the Information Security and Privacy Management Div. and the severity of the incident will be classified. Based on the decision of the information security coordination counsel, the emergency response procedure will be initiated, and an information security contingency taskforce will be formed to estimate and mitigate the damages, formulate emergency handling methods, and discuss possible solutions.

Privacy and Personal Data Protection
EVA Air has great respect for customer privacy, and abides by the operating locations’ relevant personal privacy protection regulations in regard to the collection, processing and use of customer information. EVA Air provides our members with services, while making every effort to protect their information, privacy and interests. Information on personal data collection and application, and the privacy protection and security statements are clearly stated in the “Privacy Policy and Cookies” on EVA Air’s website. When joining us as members, members must read and agree with EVA Air’s Privacy Policy & Cookies Terms and Conditions. EVA Air obtains customer consent before personal data collection, the purpose, categories, methods, usage and retention period are explained in detail by our privacy policy. We process and use personal data as per our privacy policy, and customers may exercise their data subject rights in accordance with applicable regulations. Data access is authorized only to necessary personnel with a need to know basis, with records and logs of data changes kept for internal control.
 
EVA Air’s privacy protection policy is applicable to all departments and individuals (including suppliers) that collect, process and use personal data. The policy specifically states that the EVA Air’s collection, processing and use of personal data shall be in compliance with the Personal Data Protection Act, the EU General Data Protection Regulation (GDPR), the California Privacy Rights Act, and other regulations related to personal data and privacy protections; and other relevant laws and regulations, and shall prevent the theft, alteration, damage, loss or divulging of personal data held. It also clearly stipulates that employees shall comply with personal data protection regulations, and that those found in violation shall be punished in accordance with the severity of the violation. Outsourced vendors found in violation shall be handled in accordance with the penalties stipulated in the contract. To ensure the implementation of information security and personal data protection, personal data collection, processing and utilization reviews have been included into the self-assessment items for annual internal control. Various review requirements have also been included into information security self-assessment items. EVA Air’s privacy protection policy clearly states that the purpose of personal data collection is for the flight-booking process, establishment of ticket-related data, ticketing notifications, issuing itineraries, transportation management, providing consumer/passenger/membership services and management, handling payment issues and irregularities, baggage claims, product marketing, online shopping, inflight shopping, additional purchases, service, online advertising, and statistical surveys and analyses in order to improve service quality and strengthen personalized services. Furthermore, information is collected with passenger consent. In 2022, there was no incident of secondary use of the personal data of passengers.
 
Customers can exercise their personal data rights through the EVA Air website. They can request to delete personal data by downloading and completing an application form, and submitting the application form to EVA Air offices worldwide.