Employee Privacy Statement
Effective: August 3, 2020
We are Workday, a group of companies with offices all over the world. Workday is committed to protecting your personal data, as Workday Personnel. “Workday Personnel” includes current and former employees and those who work on a non-permanent basis, including contingent workers, temporary and contract workers, independent contractors, and interns.
This Employee Privacy Statement describes how Workday collects, uses, discloses, transfers, and stores your personal data and your rights in connection with your personal data as part of the employment process. How we process your personal data may vary by jurisdiction based on (i) applicable law, (ii) your employment agreement, and/or (iii) the nature of your position and duties.
We recommend that you read this Privacy Statement in full to ensure you are fully informed; however, if you only want to access a particular section, you can click on the relevant link below to jump to that section:
Personal data we collect.
As part of the employment process at Workday we may collect personal data about you, your dependents, beneficiaries, and other related individuals whose personal data has been provided to us. The types of personal data we collect about you may vary based upon your role and applicable law. Personal data we may collect includes, but is not limited to:
- Identification data, such as your name, gender, photograph, date of birth, Workday IDs;
- Contact information, such as email address(es), physical or mailing address(es), and telephone number(s)
- Employment information, such as goals, performance data, performance reviews and feedback, career development, payroll, stock, compensation, business expenses, reimbursements, and other financial information
- Job application information, such as a resume, an application, background check, and public records information
- Government identification numbers
- Benefits and pension information, such as benefits elections for welfare, disability, leave, medical, or other benefits and associated dependent information
- Dependent and/or beneficiary information to provide benefit packages to you as part of your compensation, such as health or life insurance coverage or other benefits;
- Emergency contact information to be used in the event of an emergency
- Workplace information, such as photographs and videos
- Responses to voluntary workplace satisfaction surveys
- Information about your access to and use of Workday property, such as documents, data, computers, network, applications, physical facilities and other resources, including IP addresses, access logs, and similar data about you
- Work-related healthcare information, such as information related to a medical leave or safety incident
- Information required by applicable law or regulatory requirement; and
- Other information described at the time it is collected or as necessary to establish, administer, manage, and terminate the employment relationship
If you are a contingent worker, the type of personal data we process is limited to that needed to manage your particular work assignment with Workday, but may include all or some of the above items.
Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, biometric data, data concerning health, sexual orientation, and criminal history may be collected where allowed by law or with your consent. As a general rule, we try not to collect or process any of this data about you unless authorized by law or where necessary to comply with applicable laws. However, in some circumstances, we may need to collect, or request on a voluntary disclosure basis, some sensitive personal data for legitimate employment-related purposes.
- Information about your racial/ethnic origin, gender, sexual orientation, and disabilities may be collected for the purposes of creating a diverse and inclusive work environment, compliance with equal employment opportunity obligations, or complying with anti-discrimination laws and government reporting obligations
- Information about your physical or mental condition may be collected to provide work-related accommodations, health and insurance benefits to you and your dependents, or to manage absences from work.
Workday offices use CCTV (Closed Circuit Television) cameras for safety and crime prevention purposes. When you enter a Workday office, you may have your image captured on our CCTV. Notices will let you know where Workday is operating CCTV cameras. The CCTV system is not used to monitor the work of employees or their attendance.
While most of this personal data is collected directly from you, Workday may collect information from third parties in relation to your employment, employment application, benefits, or other services we may offer. In general, you are required to provide your personal data, except in limited instances when we indicate that certain data is voluntary (e.g., in connection with employee satisfaction surveys).
How we use your personal data.
We will use the personal data listed above to administer employment and employment-related activities, including:
- To establish, administer and manage all aspects of your employment relationship (e.g., payroll, benefits, stock administration, travel, expenses, corporate credit cards, professional development, training, absence monitoring, performance management, disciplinary and grievance processes, business management and human resources-related processes)
- To maintain a global directory of Workday Personnel which contains your professional contact details (such as your name, location, photo, job title and contact details) for use by Workday Personnel to facilitate global cooperation, communication and teamwork
- To ensure compliance with applicable Workday policies, including by managing physical/IT/network security, and conducting internal investigations
- To comply with applicable legal or regulatory requirements
- To perform analysis on data generated during the course of employees’ activities, to inform business intelligence, accelerate business operations, identify training/development/awareness opportunities, evaluate and/or suggest career opportunities, assist workers with data-driven predictions, and personalization
- To perform analysis on organizational and activity data to identify potential business improvements or opportunities for efficiency
- To provide you with required tools and technology, and manage your access to these resources in line with your job role
- To evaluate and report on the demographic makeup of our workforce, where allowed by law (e.g., diversity reporting)
- To maintain and protect the safety and security of our employees, vendors, customers, other workers, Workday services, property of Workday, or the public
- To communicate with you or your designated contacts in case of emergency
- To send work-related materials, such as computer equipment and courier packaging for equipment returns
- Other purposes described to you at the time we collect your personal data
Workday collects data through the CCTV system to (i) control access to our premises and to ensure the safety of our premises, our staff and visitors, and (ii) prevent, deter, and if necessary, investigate unauthorized physical access, including unauthorized access to secure premises, IT infrastructure, or theft of equipment or assets.
Workday also may use third-party services, such as Google Analytics, to better understand usage, such as how many Workday Personnel are visiting internal websites, how long they are staying on the sites, and which pages are most popular. Internal website usage data is collected by Workday approved third parties and aggregated before being provided to Workday for interpretation.
We process Workday Personnel personal data through several systems and third-party vendors, including our global human resources system (Workday on Workday), which helps us administer HR and employee compensation and benefits at an international level and which allows Workday Personnel to manage their own personal data in some cases.
Disclosure of data.
We share the minimum amount of personal data necessary with third parties. When information is shared it is either to fulfil our legal obligation or for a contracted service. For example, we may share identity information, including date of birth, to an insurance company where you have enrolled in a Workday benefit. Whenever we permit a third party to access personal data, we will implement appropriate measures to provide assurance that the information is used in a manner consistent with this privacy statement and with applicable law, and that the security and confidentiality of the information is maintained. When we process sensitive employee data, this information will only be transferred outside of your country if permitted by applicable law.
We may disclose personal data to the following parties:
- Members of Workday around the world, for example to facilitate general business management
- Workday-contracted third party service providers to carry out certain HR management activities (e.g., benefits, recruitment and salary and other compensation expenses), IT-related tasks (e.g., for maintenance of secure systems and networks) or other business services;
- Third parties that provide tools and services to facilitate you in your job responsibilities;
- Third parties with whom you instruct Workday to share your personal data
- Third parties that provide analysis, benchmarking, and other business intelligence services involving external data sources
- Contractors and vendors who require such information to assist us with establishing, administering, and managing the employment relationship
- Law enforcement, other government entities, or authorized third parties to comply with applicable law or to respond to a valid legal process
- Other third parties that in good faith belief that disclosure is necessary to protect your safety or the safety of others
- Other corporate entities if Workday goes through a business transition, such as a merger, acquisition by another company or sale of all or a portion of its assets
Workday does not sell personal data that it collects or processes as part of the employment process or any related processes.
Where your personal data is processed.
Your personal data may be processed in: (i) the countries where you are employed or are conducting work for Workday, (ii) the United States, or (iii) any other country where Workday or Workday-contracted third-party service providers have operations. Third-party organizations processing personal data for Workday must comply with all relevant privacy laws in order to protect your personal data in any country where they process or transfer the data.
Workday operates as a global business and may transfer, store, or process your personal data in a country outside your jurisdiction, including ones that are not subject to an adequacy decision by the European Commission. However, we have taken appropriate safeguards to require that your personal data will remain protected in accordance with this Privacy Statement. These safeguards include implementing the European Commission’s Standard Contractual Clauses for transfers of personal data between our group companies, thus requiring all group companies to protect personal data they process from the EEA in accordance with European Union data protection law.
Your personal data may be stored and processed in the United States and in any other country where Workday or its affiliates, subsidiaries, or third-party service providers maintain facilities. Workday stores and retains your data for as long as is needed to fulfill the purposes described in this statement or as otherwise required by law. Typically, this means we keep your personal data until the end of your work relationship with us plus a reasonable period of time afterwards to respond to employment or work-related inquiries or to deal with any legal matters (e.g., judicial or disciplinary actions), document the proper termination of your employment or work relationship (e.g., to tax authorities), or to provide you with ongoing pensions or other benefits.
CCTV footage is retained for 90 days in North American offices and 30 days in all other offices.
Your rights over your personal data.
Depending on where you are located, you may have certain legal rights over the personal data we hold about you, subject to local privacy laws. These may include the right to:
- Access the personal data we hold about you
- Have incorrect personal data updated or deleted
- Have your personal data deleted
- Restrict the processing of your personal data
- Object to the processing of your personal data carried out on the basis of our legitimate interests
- Receive a copy of your personal data in an electronic and machine-readable format
- Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or otherwise significantly affects you (“Automated Decision-Making”). Workday does not perform Automated Decision-Making as part of the processing activities covered by this Privacy Statement.
- Complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
Workday will not discriminate against you for exercising your rights.
You, or an authorized individual we can verify is acting on your behalf, can exercise the applicable rights by contacting us using the contact details at the bottom of this statement or by submitting your request through our Request Portal.
Legal basis for processing personal data.
For Workday Personnel in the European Economic Area, our legal basis for collecting and using the personal data described above, including any sensitive personal data, will depend on the personal data concerned and the specific context in which we collect it. However, we will normally collect personal data from you only where we have your consent to do so, where we need the personal data to enter into or perform a contract with you (i.e., to administer an employment or work relationship with us), or where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms.
These legitimate interests include, for example, contacting you to provide support or sending you employment information (subject to applicable law), detecting, preventing and investigating illegal activities, potential security issues or policy violations, and maintaining and improving our internal tools and systems. In some cases, we may also have a legal obligation to collect personal data from you or may otherwise need the personal data such as in response to a court or regulator order, to protect your vital interests or those of another person, or to exercise, establish, or defend legal claims.
If you have questions or need further information concerning the legal basis on which we collect and use your personal data, please contact us using the details provided in the “How to contact us” section, below.
We use technical and organizational measures that provide a level of security appropriate to the risk of processing your personal data and require our vendors and suppliers to do the same. However, you are responsible for maintaining the security of your password or other forms of authentication involved in accessing password-protected or secured resources.
E.U.-U.S. and Swiss-U.S. Privacy Shield
Workday complies with the U.S. Department of Commerce-maintained EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal data transferred from the European Economic Area (EEA), Switzerland, or the United Kingdom to the United States. Workday has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Statement and the Privacy Shield Principles, the Privacy Shield Principles shall govern.
To learn more about the Privacy Shield Frameworks and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List.
Workday is responsible for processing personal data we receive under each Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. Workday complies with the Privacy Shield Principles for all onward transfers of personal data from the EEA, Switzerland, or the United Kingdom, including the onward transfer liability provisions.
With respect to personal data received or transferred pursuant to the Privacy Shield Frameworks, Workday is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Workday’s privacy practices, described in this Privacy Statement, comply with the APEC Cross-Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal data transferred among participating APEC economies. More information about the APEC framework can be found here.
Changes to this Privacy Statement.
This Employee Privacy Statement may be amended or revised from time to time at Workday’s discretion. The most recent document is available via your Workday on Workday account. If we propose to make any material changes, we will provide notice on this page prior to the change becoming effective. All amendments and revisions are effective immediately upon communication, unless your consent is necessary for the change.
How to contact us.
If you have any questions about this Privacy Statement, or wish to exercise your rights, please submit your request through our Request Portal. You may also contact us at firstname.lastname@example.org or one of the mailing addresses below:
6110 Stoneridge Mall Road
Pleasanton, CA 94588
Kings Building, May Lane
To contact our Data Protection Officer, please email email@example.com.
The controller of your personal data is the Workday affiliate that employs you. For a list of Workday affiliates and their contact details, please see here.