Effective Date of Current Policy: March 29, 2021
Workday Strategic Sourcing Website and Event Visitors
When you visit a Workday Strategic Sourcing (formerly Scout RFP) website or if you have attended a Workday Strategic Sourcing event, Workday is the data controller for any personal information that was collected about you, which will be handled in accordance with the Workday Privacy Statement located at https://www.workday.com/en-us/privacy.html.
End Users of Workday Strategic Sourcing Services
If you are a user of the Workday Strategic Sourcing enterprise software service (either as a supplier or a customer end user), Workday is the data controller for your account information (for example, your name and email address), which will be handled in accordance with the Workday Privacy Statement located at https://www.workday.com/en-us/privacy.html.
Workday Strategic Sourcing Enterprise Customer Terms
Unless otherwise defined below, all capitalized terms have the meaning given to them in the Agreement.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data, including local, state, national and/or foreign laws, treaties, and/or regulations, the GDPR, and implementations of the GDPR into national law.
“Data Subject” means the person to whom the Personal Data relates.
“GDPR” means the General Data Protection Regulation (EU) 2016/679.
“Personal Data” means any Sourcing Data that relates to an identified or identifiable natural person.
“Personal Data Breach” means a ‘personal data breach’ as defined in the GDPR affecting Personal Data.
“Processing” or “Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
“Sourcing Data” means the electronic data or information submitted through the Workday Strategic Sourcing Service to Customer’s Sourcing Instance by Customer. For clarity, account information that an end user provides to register for an account (such as name, email and password) and any data provided for the purposes of support or feedback is not “Sourcing Data” and will instead be handled in accordance with the Workday Privacy Statement located at https://www.workday.com/en-us/privacy.html.
“Sourcing Instance” means a unique set of Sourcing Data held in a logically separated database (i.e., a database segregated through password-controlled access).
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision (2010/87/EU) available on the European Commission’s website at http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.html.
“Subprocessor” means a Workday affiliate or third-party entity engaged by Workday or a Workday Affiliate as a Data Processor to further Process Personal Data.
“Subprocessor List” means the subprocessor list identifying the Subprocessors that are authorized to Process Personal Data for the Workday Strategic Sourcing Service, accessible through Workday’s website, currently available at https://www.workday.com/en-us/legal/subprocessors.html.
“Workday Strategic Sourcing Service” means the service(s) described in the Agreement.
2. Processing Personal Data
2.1 Scope and Role of the Parties. These Workday Strategic Sourcing Enterprise Privacy Terms apply to the Processing of Personal Data by Workday to provide the Workday Strategic Sourcing Service. For the purposes of these Workday Strategic Sourcing Enterprise Privacy Terms, Customer and its affiliates are the Data Controller(s) and Workday is the Data Processor.
2.2 Instructions for Processing. Workday shall Process Personal Data in accordance with Customer’s documented instructions. Customer instructs Workday to Process Personal Data to provide the Workday Strategic Sourcing Service in accordance with the Agreement (including these Workday Strategic Sourcing Enterprise Privacy Terms incorporated by reference). Customer may provide additional instructions to Workday to Process Personal Data; however, Workday shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and these Workday Strategic Sourcing Enterprise Privacy Terms.
2.3 Compliance with Laws. Workday shall comply with all Data Protection Laws applicable to Workday in its role as a Data Processor Processing Personal Data. For the avoidance of doubt, Workday is not responsible for complying with Data Protection Laws applicable to Customer or Customer’s industry such as those not generally applicable to online service providers. Customer shall comply with all Data Protection Laws applicable to Customer as a Data Controller and shall obtain all necessary consents, and provide all necessary notifications, to Data Subjects to enable Workday to carry out lawfully the Processing contemplated by these Workday Strategic Sourcing Enterprise Privacy Terms.
3.1 Use of Subprocessors. Customer agrees and provides a general prior authorization that Workday and its affiliates may engage Subprocessors. Workday or the relevant Workday affiliate engaging a Subprocessor shall ensure that such Subprocessor has entered into a written agreement that is no less protective than these Workday Strategic Sourcing Enterprise Privacy Terms. Workday shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by Workday.
3.2 Notification of New Subprocessors. Workday shall make available to Customer a Subprocessor List and provide Customer with a mechanism to obtain notice of any updates to the Subprocessor List. At least thirty (30) days prior to authorizing any new Subprocessor to Process Personal Data, Workday shall provide notice to Customer by updating the Subprocessor List.
3.3 Subprocessor Objection Right. This Section 3.3 shall apply only where and to the extent that Customer is established within the European Economic Area, the United Kingdom or Switzerland or where otherwise required by Data Protection Laws applicable to Customer. In such event, if Customer objects on reasonable grounds relating to data protection to Workday’s use of a new Subprocessor, then Customer shall promptly, and within fourteen (14) days following Workday’s notification pursuant to Section 3.2 above, provide written notice of such objection to Workday. Should Workday choose to retain the objected-to Subprocessor, Workday will notify Customer at least fourteen (14) days before authorizing the Subprocessor to Process Personal Data and Customer may terminate the relevant portion(s) of the Workday Strategic Sourcing Service within thirty (30) days. Upon any termination by Customer pursuant to this Section, Workday shall refund Customer any prepaid fees for the terminated portion(s) of the Workday Strategic Sourcing Service that were to be provided after the effective date of termination.
4. Rights of Data Subjects
4.1 Assistance with Data Subject Requests. Workday will, in a manner consistent with the functionality of the Workday Strategic Sourcing Service and Workday’s role as a Data Processor, provide reasonable support to Customer to enable Customer to respond to Data Subject requests to exercise their rights under applicable Data Protection Laws (“Data Subject Requests”).
4.2 Handling of Data Subject Requests. For the avoidance of doubt, Customer is responsible for responding to Data Subject Requests. If Workday receives a Data Subject Request or other complaint from a Data Subject regarding the Processing of Personal Data, Workday will promptly forward such request or complaint to Customer, provided the Data Subject has given sufficient information for Workday to identify Customer.
5. Workday Personnel
Workday shall require screening of its personnel who may have access to Personal Data, and shall require such personnel (i) to Process Personal Data in accordance with Customer’s instructions as set forth in these Workday Strategic Sourcing Enterprise Privacy Terms, (ii) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data, and (iii) to be subject to confidentiality obligations which shall survive the termination of employment.
6. Personal Data Breach
In the event Workday becomes aware of a Personal Data Breach it shall without undue delay notify Customer in accordance with the Security Breach provisions of the Agreement. To the extent Customer requires additional information from Workday to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, Workday shall provide reasonable assistance to provide such information to Customer taking into account the nature of Processing and the information available to Workday.
7. Security Program
Workday shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as set forth in Appendix 2.
Customer agrees that, to the extent applicable, Workday’s then-current SOC 2 audit report (or comparable industry-standard successor reports) will be used to satisfy any audit or inspection requests by or on behalf of Customer, and Workday shall make such report available to Customer. In the event that Customer, a regulator, or supervisory authority requires additional information, including information necessary to demonstrate compliance with these Workday Strategic Sourcing Enterprise Privacy Terms, or an audit related to the Workday Strategic Sourcing Service, Workday and Customer will discuss the scope, timing, duration, and cost of any additional audits in good faith.
9. Return and Deletion of Personal Data
Upon termination of the Workday Service, Workday shall return Personal Data in accordance with the relevant provisions of the Agreement. Following Customer’s retrieval of data Workday shall, unless legally prohibited, delete Personal Data consistent with the then-current Sourcing deletion policy.
10. Additional European Terms
10.1 Standard Contractual Clauses. The Standard Contractual Clauses shall be deemed incorporated into these Workday Strategic Sourcing Enterprise Privacy Terms by reference and shall apply between Customer and the Customer Affiliates established within the European Economic Area, the United Kingdom and Switzerland (each as “data exporter”) and Workday, Inc. (as “data importer”), subject to the requirements of Section 11.
10.2 Subject-Matter, Nature, Purpose and Duration of Data Processing. Workday will Process Personal Data to provide the Workday Strategic Sourcing Service. The duration of Processing Personal Data shall be for the term of the Agreement.
10.3 Types of Personal Data and Categories of Data Subjects. The types of Personal Data and categories of Data Subjects are set forth in Appendix 1, which is hereby incorporated into these Workday Strategic Sourcing Enterprise Privacy Terms.
10.4 Data Protection Impact Assessments and Prior Consultations. Customer agrees that, to the extent applicable, Workday’s then-current SOC 2 audit report (or comparable industry-standard successor reports) will be used to carry out Customer’s data protection impact assessments and prior consultations, and Workday shall make such report available to Customer. To the extent Customer requires additional assistance to meet its obligations under Article 35 and 36 of the GDPR to carry out a data protection impact assessment and prior consultation with the competent supervisory authority related to Customer’s use of the Workday Strategic Sourcing Service, Workday will, taking into account the nature of Processing and the information available to Workday, provide reasonable assistance to Customer. Workday and Customer will discuss the scope, timing, and any applicable costs for such assistance in advance.
11. Clarifications to the Standard Contractual Clauses
11.1 Appendices. Appendices 1 and 2 to these Workday Strategic Sourcing Enterprise Privacy Terms shall be deemed automatically incorporated into Appendices 1 and 2 of the Standard Contractual Clauses.
11.2 Audits. For the purposes of Clause 5 (f) of the Standard Contractual Clauses, audits will be performed in accordance with Section 8 of these Workday Strategic Sourcing Enterprise Privacy Terms.
11.3 Subprocessors. For the purposes of Clause 11 of the Standard Contractual Clauses, Customer consents to Workday appointing Subprocessors in accordance with Section 3 of these Workday Strategic Sourcing Enterprise Privacy Terms.
11.4 Return and Deletion of Personal Data. For purposes of Clause 12 (1) of the Standard Contractual Clauses, Workday shall return and delete Data Exporter’s data in accordance with Section 9 of these Workday Strategic Sourcing Enterprise Privacy Terms.
11.5 Conflict. For the avoidance of doubt, the parties agree that the terms of this Section are not intended to amend or modify the Standard Contractual Clauses. These provisions provide clarity in terms of Workday’s business processes for complying with the Standard Contractual Clauses. In the event of any conflict between the terms of these Workday Strategic Sourcing Terms and the provisions of the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12. General Provisions
12.1 Termination. The term of these Workday Strategic Sourcing Enterprise Privacy Terms will end simultaneously and automatically at the later of (i) the termination of the Agreement or, (ii) when all Personal Data is deleted from Workday’s systems.
12.2 Conflict. These Workday Strategic Sourcing Enterprise Privacy Terms are subject to the non-conflicting terms of the Agreement. With regard to the subject matter of these Workday Strategic Sourcing Enterprise Privacy Terms, in the event of inconsistencies between the provisions of these Workday Strategic Sourcing Enterprise Privacy Terms and the Agreement, the provisions of these Workday Strategic Sourcing Enterprise Privacy Terms shall prevail with regard to the parties’ data protection obligations.
12.3 Remedies. Customer’s remedies (including those of its Affiliates) with respect to any breach by Workday or its affiliates of the terms of these Workday Strategic Sourcing Enterprise Privacy Terms (including the Standard Contractual Clauses), and the overall aggregate liability of Workday and its affiliates arising out of, or in connection with the Agreement (including these Workday Strategic Sourcing Enterprise Privacy Terms) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of Workday and its affiliates arising out of, or in connection with the Agreement (including these Workday Strategic Sourcing Enterprise Privacy Terms) shall in no event exceed the Liability Cap.
12.4 Miscellaneous. The section headings contained in these Workday Strategic Sourcing Enterprise Privacy Terms are for reference purposes only and shall not in any way affect the meaning or interpretation of these Workday Strategic Sourcing Enterprise Privacy Terms.
The data exporter is (please specify briefly your activities relevant to the transfer):
A customer of Workday’s enterprise software-as-a-service applications.
The data importer is (please specify briefly activities relevant to the transfer):
Workday is a provider of enterprise software-as-a-service applications. The data importer processes Personal Data on behalf of and according to the instructions of data exporter.
The personal data transferred concern the following categories of data subjects (please specify):
- Data exporter’s prospective, current, and former employees and other workers or suppliers;
- Employees or contact persons of data exporter’s business partners and suppliers.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Data that is typically required for strategic sourcing and procurement operations, including the categories of data identified below:
- Employees and other workers: Name; contact information (including work address, telephone numbers, and email address); job or position title;
- Business partners and suppliers: Name and contact information (including work address, work telephone numbers, mobile telephone numbers, web address, instant messenger, work email address); business title; company.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The personal data transferred will be subject to the following basic processing activities (please specify):
Basic processing activities involve storing Personal Data and processing to operate and maintain the enterprise software-as-a-service applications and implement data exporter’s instructions when using the software-as-a-service applications (e.g., storage, use, retrieval, or erasure of Personal Data).
Basic processing activities involve using, configuring, and storing Personal Data to provide Professional Services and implement data exporter’s instructions.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
Description of the technical and organizational security measures implemented by Workday:
Data importer shall implement appropriate technical and organisational measures, designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data as set forth in Section 7.
Workday maintains a comprehensive, written information security program that contains administrative, technical, and physical safeguards that, taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing of Sourcing Data as well as the associated risks, are appropriate to (a) the type of information that Workday will store as Sourcing Data; and (b) the need for security and confidentiality of such information. Workday's security program is designed to:
- Protect the confidentiality, integrity, and availability of Sourcing Data in Workday’s possession or control or to which Workday has access;
- Protect against any anticipated threats or hazards to the confidentiality, integrity, and availability of Sourcing Data;
- Protect against unauthorized or unlawful access, use, disclosure, alteration, or destruction of Sourcing Data;
- Protect against accidental loss or destruction of, or damage to, Sourcing Data; and
- Safeguard information as set forth in any local, state, or federal regulations by which Workday may be regulated.
Without limiting the generality of the foregoing, Workday’s security program includes:
- Security Awareness and Training. Mandatory employee security awareness and training programs, which include:
- Training on how to implement and comply with its information security program; and
- Promoting a culture of security awareness.
- Access Controls. Policies, procedures, and logical controls:
- To limit access to its information systems and the facility or facilities in which they are housed to properly authorized persons;
- To prevent those workforce members and others who should not have access from obtaining access; and
- To remove access in a timely basis in the event of a change in job responsibilities or job status.
- Physical and Environmental Security. Controls that provide reasonable assurance that access to physical servers at the data centers housing Sourcing Data is limited to properly authorized individuals and that environmental controls are established to detect, prevent, and control destruction due to environmental extremes.
- Security Incident Procedures. A security incident response plan that includes procedures to be followed in the event of any security breach of any application or system directly associated with the accessing, processing, storage, or transmission of Sourcing Data.
- Contingency Planning. Policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, pandemic flu, and natural disaster) that could damage Sourcing Data or production systems that contain Sourcing Data.
- Audit Controls. Technical or procedural mechanisms put in place to promote efficient and effective operations, as well as compliance with policies.
- Data Integrity. Policies and procedures to ensure the confidentiality, integrity, and availability of Sourcing Data and to protect it from disclosure, improper alteration, or destruction.
- Storage and Transmission Security. Security measures to guard against unauthorized access to Covered Data that is being transmitted over a public electronic communications network or stored electronically.
- Secure Disposal. Policies and procedures regarding the secure disposal of tangible property containing Sourcing Data, taking into account available technology so that such data cannot be practicably read or reconstructed.
- Assigned Security Responsibility. Assigning responsibility for the development, implementation, and maintenance of its information security program, including:
- Designating a security official with overall responsibility; and
- Defining security roles and responsibilities for individuals with security responsibilities.
- Testing. Regularly testing the key controls, systems and procedures of its information security program to validate that they are properly implemented and effective in addressing the threats and risks identified.
- Monitoring. Network and systems monitoring, including error logs on servers, disks, and security events for any potential problems. Such monitoring includes:
- Reviewing changes affecting systems handling authentication, authorization, and auditing;
- Reviewing privileged access to Workday production systems processing Sourcing Data; and
- Engaging third parties to perform network vulnerability assessments and penetration testing on a regular basis.
- Change and Configuration Management. Maintaining policies and procedures for managing changes Workday makes to production systems, applications, and databases processing Sourcing Data. Such policies and procedures include:
- A process for documenting, testing and approving the patching and maintenance of the Covered Service;
- A security patching process that requires patching systems in a timely manner based on a risk analysis; and
- A process for Workday to utilize a third party to conduct web application level security assessments. These assessments generally include testing, where applicable, for:
- Cross-site request forgery
- Services scanning
- Improper input handling (e.g., cross-site scripting, SQL injection, XML injection, cross-site flashing)
- XML and SOAP attacks
- Weak session management
- Data validation flaws and data model constraint inconsistencies
- Insufficient authentication
- Insufficient authorization
- Program Adjustments. Workday monitors, evaluates, and adjusts, as appropriate, the security program in light of:
- Any relevant changes in technology and any internal or external threats to Workday or the Sourcing Data;
- Security and data privacy regulations applicable to Workday; and
- Workday’s own changing business arrangements, such as mergers and acquisitions, alliances and joint ventures, outsourcing arrangements, and changes to information systems.