last updated on 29 Dec, 2023
EVA AIR (hereinafter referred to as "the Company") believes that personal data belongs to each data subject, including traveler, visitor, member, etc, referred to collectively as "You". Safeguarding the personal data entrusted to the Company and Your privacy is the responsibility of the Company.
The Company encourages You to be aware of Your rights regarding personal data and privacy, enabling You to use the tailored services provided by the Company with peace of confidence. Herein, in accordance with the Personal Data Protection Act of the Republic of China (hereinafter referred to as "Taiwan"),the General Data Protection Regulation of the European Union (hereinafter referred to as "GDPR"), the California Privacy Rights Act (hereinafter referred to as "CPRA") and other applicable data protection laws, regulations (hereinafter collectively referred to as “the applicable data protection laws”), the Company informs You of the following provisions regarding the protection of personal data and privacy.
Purpose of Personal Data Collection
The Company collects Your personal data for the following purposes:
- Establishment of reservations and related information for ticketing.
- Ticketing notifications and issuing itineraries.
- Transportation management.
- Provision of various consumer, traveler, and member-related services and management.
- Handling of other exceptional services, customer complaints, and opinions.
- Payment processing.
- Baggage claims.
- Marketing activities.
- Online shopping.
- In-flight shopping.
- Purchase of additional goods and services.
- Online advertising.
- Statistical surveys and analysis for service quality improvement.
In addition to the aforementioned scope of this Policy, the Company may use or exceptionably utilize Your information for specific purposes due to the following situations:
- To comply with the applicable laws and regulations of both domestic and international jurisdiction, including but not limited to civil aviation, customs, diplomacy, public health (quarantine), law enforcement, and judicial investigation.
- In the interest of public interest.
- To prevent risks to Your life, body, freedom, or property.
- To prevent significant harm to the rights and interests of individuals other than Yours .
- With Your consent or when it is in Your best interests.
- In accordance with Article 6, paragraph 1, subparagraphs of the Personal Data Protection Act of Taiwan and Article 9(2) of the GDPR.
Methods of Personal Data Collection
The Company will collect Your personal data through the following methods and channels:
- When You:
- Become a member of "Infinity MileageLands,"or "EVA Fans."
- Book, purchase, or pre-order products or services, including various add-on services, high-speed rail tickets, and online or in-flight shopping. Or participate in offline or online activities including online advertisements.
- Use online services (such as seat or meal selection, check-in, SMS registration, flight feedback) or contact our customer service channels (including service centers, town or airport counters) for onward services.
- When You participate in the Company's market research activities (including marketing statistics) and fill out forms or questionnaires.
- The Company may collect or receive Your personal data through other third parties:
- Agents who book tickets or itineraries on behalf of Your .
- Government, law enforcement, and judicial agencies in various countries.
Please be well noted that when You book or purchase travel-related products (including car rentals, local transportation, accommodation, etc.) other than those sold by the Company through its channels (including the global, duty-free or mobile websites), Your personal data may be collected, processed, and used by third parties. The third parties’ collection and use Your personal data will be subject to their own privacy policies and please read their privacy policies carefully before deciding whether to consent to them.
Categories of Collected Personal Data
Through the aforementioned methods and channels of personal data collection, the Company may collect, process, and utilize Your personal data, including but not limited to:
- Identifiable Personal Information:
Name, title, address, office (company) address, home phone number, mobile phone number, online platform account, communication and domicile addresses, email addresses, records providing online identity verification or inquiry services, user passwords, location Information (IP addresses, GPS Location), cookies, device unique identifiers, or any other personally identifiable information.
- Identifiable Financial Information:
Financial institution account numbers and names, credit card or debit card numbers and other personal numbers or accounts.
- Personally identifiable information (PII) contained in government data:
ID numbers, unified certificate numbers, disability numbers, license numbers, passport numbers, etc.
- Information About Personal Descriptions:
Age, gender, date of birth, place of birth, nationality, voice, etc.
- Details About Other Family Members (Personal family member information):
Details about children, dependents, other family members or relatives, parents, cohabitants, and relatives residing abroad and in mainland China.
- Information About Residence and Facilities:
Information about residence addresses, etc.
- Details About Travel and Other Migration:
Details about migrations and travels, past foreign passports, residence certificates, and work permits.
- Information About Leisure Activities and Interests:
Hobbies, sports and other interests, etc.
- Occupational Information:
Various occupational information, position, title, etc.
- Compensation Information:
Details about compensation claims (contractual content, compensation items, quantity), amounts, etc.
- Health Record Information:
Medical reports, treatment and diagnosis records, medical diagnosis certificate, test results, type of disabilities, levels, validity periods, disability handbook certificate numbers, and contacts, etc.
- Other Data (Data Uncategorized):
Unclassifiable letters, files, reports, recordings, emails or Your feedback (letters, emails), etc.
Special Personal Data
Depending on the specific case, the Company may be subject to single, multi-national, or various personal data protection laws when processing Your personal data. This may result in certain personal data being classified as special or sensitive types of personal data, such as biometric identification, health-related information, etc. In principle, the Company does not process the aforementioned special or sensitive types of personal data unless required by applicable laws. However, if You voluntarily provide such data to facilitate the Company's processing of Your personalized needs, the Company will collect, process, and utilize the data in accordance with relevant legal requirements.
It is particularly emphasized that if You are unable to provide the personal data necessary for the selected service scope, the Company may be unable to complete all or part of the service and transaction.
Usage of Personal Data
The Company will use your personal data upon your consent in the following ways to fulfill the services per Your request, as well as safeguarding Your rights:
- In addition to ticket purchase and any other pre-paid services, the Company will use Your personal data to:
- book, issue tickets and create related records including ticketing notifications, certificates of ticket issuance, receipts, invoices, fare information, purchasing information and related online services(including shopping), etc.
- submit to the respective financial institution for the ticket purchase process (e.g., for credit card authorization or bank transfer) before the ticket purchase is complete, as well as safeguarding the security and reliability of transaction.
- send flight-related reminder and order information by emails, app notifications or text messages.
- Transfer (including cross-border transfer) of Your personal data to the Company and its contractors, agencies, subsidiaries, affiliates, group, immigration authorities of the arrival country and business partners (hereinafter collectively referred to as “the Company's partners”), for the provision of products and services which include booking, ticketing, local transportation, check-in, shopping, texting, affiliated marketing, loyalty program, and various on-line and off-line activities.
- Promote the services and products of the Company and/or of a third-party contract partner, and the Company's partners. Opt-out will be provided to You during the initial and subsequent marketing campaigns to secure your rights. You can always choose to opt out of receiving such marketing information through the aforementioned options even You’ve agreed before.
Personal Data Usage Period
The Company will retain the personal data You provide based on the following factors:
- Specific collection purposes.
- Relevant laws and regulations, such as the Civil Code , Personal Data Protection Act of Taiwan, GDPR, CPRA and other applicable regulations.
- Necessity to fulfill the contract (which may be longer than the periods specified in the aforementioned laws and regulations).
- Retention periods specified in individual contracts between You and the Company.
- Required by government and judicial investigations or litigation.
The Company will delete your personal data automatically when it is no longer required for the purpose of collection or when the retention period expires.
Region of Personal Data Use and Cross-Border Transfer
Your personal data will be transmitted (including domestic and cross-border transfer) and stored in a secure information environment. It will be processed and utilized by business offices of the Company and UNI AIRWAYS CORPORATION operated to fulfill the services You require.
To achieve the above purposes, the Company will adopt adequate safeguard measures to comply with applicable personal data protection laws, relevant regulations, and the requirements of this Policy.
Data Protection Measures and Contact Information
To ensure that all personnel of the Company, as well as employees of vendors and their temporary employees, visitors, and others with business dealings with the Company, comply with relevant laws in the collection, processing, and utilization of Your personal data, the Company has established guidelines (EVA Air Personal Data File Security Maintenance Plan) as regulations for various operational processes.
The following security measures are adopted to protect the personal data You provide to the Company, ensuring the confidentiality, integrity, and availability of Your personal data:
- Access to Your personal data must pass through the Company's identity and access control mechanisms.
- The Company and its employees and outsourced vendors are contractually obligated to maintain confidentiality when collecting, processing, or utilizing Your personal data. They must also adhere to the Company's information security policies and regulations.
- Annual information security and personal data protection education and training are provided to employees to enhance compliance awareness.
- Annual internal compliance audits of the collection, processing, and utilization of Your personal data are conducted, reviewing the legality of internal policies. External and internal issues are collected, and requests from relevant stakeholders are incorporated into risk assessments, integrated into risk management procedures to identify potential risks and address them promptly.
- Twice a year, external independent organizations audit the Company's personal data protection management measures to strengthen control mechanisms from an independent and objective perspective for effective implementation.
- The Company's network infrastructure has passed ISO 27001 certification, ensuring secure transmission through high-tech encryption methods for online transactions and personal confidential data. Data is encrypted before online transmission to prevent interception and misuse.
- The Company adopts a zero-tolerance policy for violations of personal data protection. If an investigation reveals confirmed involvement in violations of applicable personal data protection regulations, including failure by individuals with supervisory responsibilities to report misconduct, the Company will immediately review and improve management measures. Disciplinary actions will be taken in accordance with employment contracts, internal disciplinary regulations, and procedures, including dismissal.
- If You have any opinions on this Policy, You can contact us through the following channels:
EVA Airways Corporation
Data Protection Officer/Personal Information Protection Officer
376, Section 1, XinNan Road, Luzhu District, Taoyuan City 33801, Taiwan
Your Rights Regarding Personal Data
Once You have provided the Company with Your personal data, the company will collect, process, and utilize it within the scope and purposes to which You have consented. You are entitled to exercise the following rights in accordance with the applicable data protection laws:
- Inquiry or Request for Access.
- Request for Copy.
- Request for Supplementary or Correction.
- Restriction of Collection, Processing, or Utilization.
- Request for Deletion: You may request the deletion or erasure of Your personal data. However, if the processing of Your personal data is deemed necessary and compliant with relevant personal data regulations, the data may not be subject to deletion or erasure, and the Company may be unable to proceed or respond accordingly.
- Refusal of Marketing, Request to withdraw from Marketing: You have the right to refuse the company's processing of Your personal data for the purpose of direct marketing of the company's products or services. For refusal or rejection of marketing, please refer to the content of point 3 under subject "Usage of Personal Data".
- Request for Restriction of Processing.
- Request for Data Portability.
- Restriction of Automated Decision-Making.
If You are a resident of California, You also have the right to exercise the following rights:
- Right to Deletion: In accordance with CPRA, the Company will notify third-party vendors who have received Your personal data to delete it, not limited to the data stored by the Company.
- Right to Know Request: In compliance with CPRA, You can request the Company to disclose the types of personal data collected within the past 12 months (from the date of Your request), collection sources, and recipients of Your personal data sold or shared for business purposes.
- Right to Opt-Out of Sale or Sharing of Personal Data: If You wish to exercise this right, please use the service hotline provided in point 6 or download the application form (Click on this link to download the Personal Data Rights and Privacy Request Form) and submit it to the Company's offices worldwide.
- Right to Restrict the Use and Disclosure of Sensitive Personal Data: You may request the Company to limit the use of Your sensitive personal data to purposes necessary for providing services or products.
- Right to Non-Discrimination: The Company will not treat You differently for exercising the rights granted by CPRA.
- Rights Exercise Hotline: You can exercise Your rights granted by CPRA through the Company's service hotline at +1-800-695-1188 in the Americas.
You can exercise the rights under this Policy or applicable personal data laws. Upon verification of Your identity, the Company will process Your requests as soon as possible. If You request the deletion, non-sale, or non-sharing of Your personal data, You need to download the application form the Company's global website (Click on this link to download the Personal Data Rights and Privacy Request Form). After completing the form, submit it to the Company's offices worldwide.
If the personal data provided by You is incorrect or incomplete (such as using a nickname), preventing the Company from verifying Your true identity, the Company may be unable to respond to Your privacy rights claims. In accordance with legal requirements, the Company may reject Your requests and provide explanations for such refusals.