Data Subject Version
This document sets out our commitments towards individuals benefiting from the third-party beneficiary rights as data subjects of our customers whose Personal Data is covered by the BCR pursuant to the customer's Service Agreement
Workday, Inc. and its subsidiaries listed on Schedule 1 hereto (collectively the “Workday Group”) provide a software-as-a-service offering where customers can load and process data on the systems of the Workday Group. The Workday Group does not select or control the customers’ data or processing. The Workday Group only provides the technology platform and applications on which customers’ process data and provides ancillary support for the application on the customer’s behalf and for the customer’s benefit.
2.BCR as additional compliance option
The Workday Group is committed to offering its customers state of the art software-as-a-service solutions, data security standards and support with respect to the customer’s data privacy compliance needs. The Workday Group does and will continue to offer its customers adequate data transfer and processing agreements and compliance options based on Workday, Inc.’s certification under the EU/CH-U.S. Privacy Shield Programs. To provide an alternative route to achieve compliance with data protection and data privacy laws, the Workday Group implements these Processor Binding Corporate Rules (“BCR”). Customers of the Workday Group that prefer the BCR approach can contract with members of the Workday Group to cover their data under these BCR, as further specified in the contractual agreement between such member of the Workday Group and the customer (“Service Agreement”). These BCR achieve an adequate level of protection for Personal Data, as required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and also satisfy requirements under other jurisdictions’ laws.
Hundreds of companies, ranging from medium-size to the Fortune 50, are amongst the customers of the Workday Group, each with different compliance needs and preferences.
Members of the Workday Group act as processors for the Personal Data its customers submit electronically into the software-as-a-service application of the Workday Group. The processing activities involve the storing of the Personal Data and the processing necessary to operate and maintain the software-as-a-service applications and implement the individual customer's instructions when using the software-as-a-service applications.
The Personal Data processed by the Workday Group on behalf of its customers pertains to their prospective, current and former employees and the dependents or beneficiaries of such employees, as necessary for the customers as part of their human resources and benefits processing. Depending on the choice of the individual customer, the Personal Data contains, without limitation, name, contact information, personal status information, information pertaining to employment or similar contracts, information on work experience, education and training, and compensation, payroll and benefits information. Depending on the circumstances of the individual case, the Personal Data might also contain information on ethnicity, religious beliefs, disability or trade union membership.
As required to provide its services to its customers, the Workday Group may export the Personal Data to the countries in which the different members of the Workday Group have their place of business (see Schedule 1 to the BCR set forth Article II).
The Workday Group will agree with each customer in a Service Agreement which categories of the customer’s data shall be covered by these BCR, for example, only Personal Data of data subjects in the European Economic Area (“EEA”) or also data of data subjects in other jurisdictions. Once such an agreement has been reached, the Workday Group and its employees and contractors will comply with these BCR with respect to the data identified in the Service Agreement. Additional privacy compliance laws and requirements may apply to specific data, locations or functions.
Notwithstanding the potentially broader scope of these BCR, as specified in a Service Agreement with a particular customer, the Workday Group adopts defined terms and compliance concepts of the GDPR and the Working Document WP 257 rev.01 of the Article 29 Data Protection Working Party dated February 6, 2018, as endorsed by the European Data Protection Board on May 25, 2018, recognizing the high level of data protection laws that the European Union has established. Therefore, the following terms shall have the meaning defined in the GDPR: Controller, processor, data subject, Personal Data, Personal Data breach, processing, and supervisory authority.
For the purposes of these BCR, (i) the term “Controller” used with respect to a particular set of Personal Data shall be interpreted to refer to a legal entity with whom a member of the Workday Group has entered into a Service Agreement which incorporates by reference these BCR, and (ii) the term “Personal Data” shall be interpreted to refer to any Personal Data submitted electronically into the software-as-a-service application of the Workday Group.
1.1The duty to respect the BCR
All members of the Workday Group and their employees have the duty to respect the BCR and the instructions regarding the data processing and the security and confidentiality measures as provided in the Service Agreement.
1.2Third-party beneficiary rights for data subjects
1.2.1Each data subject whose Personal Data is covered by the BCR pursuant to a Service Agreement shall have the right to enforce the following elements of the BCR as a third-party beneficiary directly against each member of the Workday Group involved in the processing of the data subject's Personal Data:
1.2.2Each data subject whose Personal Data is covered by the BCR pursuant to a Service Agreement shall have the right to enforce the BCR as a third-party beneficiary against each member of the Workday Group involved in the processing of the data subject's Personal Data in case the data subject is not able to bring a claim against the Controller because the Controller has factually disappeared or ceased to exist in law or has become insolvent, unless any successor entity has assumed the entire legal obligations of the Controller by contract or by operation of law, in which case the data subject can enforce its rights against such entity. In such a case, the data subject shall be able to enforce against the respective member of the Workday Group the following sections set out in this document: Article II, Sections 1.1, 1.2, 1.3, 1.5, 2.1, 3.1, 3.2, 5.1, 5.2 and 5.3.
1.2.3The data subjects’ rights as mentioned in the preceding Sections 1.2.1 and 1.2.2 shall cover the judicial remedies for any breach of the third-party beneficiary rights guaranteed and the right to obtain redress and where appropriate receive compensation for any damage (material harm but also any distress). In particular, data subjects in the EU shall be entitled to lodge a complaint before the competent supervisory authority; the data subject shall have a choice between the supervisory authority of the EU Member State of his/her habitual residence, place of work or place of alleged infringement. Data subjects in the EU shall be entitled also to lodge a complaint before the competent court, with a choice for the data subject to act before the courts where the controller or processor has an establishment or where the data subject has his or her habitual residence pursuant to Article 79 of the GDPR.
1.2.4Where a member of the Workday Group and the Controller involved in the same processing are found responsible for any damage caused by such processing, the data subject shall be entitled to receive compensation for the entire damage directly from the respective member of the Workday Group (Art. 82.4 GDPR).
1.3Responsibility towards the Controller
The BCR shall be made binding toward the Controller through a specific reference to it in the Service Agreement. If and to the extent provided in the Service Agreement, the Controller shall have the right to enforce the BCR against (a) any member of the Workday Group for breaches such member caused, (b) Workday Limited, Kings Building, May Lane, Dublin 7, Ireland in case of a breach of the BCR or of the Service Agreement by members of the Workday Group established outside of the EEA or a breach of the written agreement referred under Section 5.1.vii of these BCR by any external sub-processor established outside of the EEA. The data Controllers’ rights shall cover the judicial remedies and the right to receive compensation, as further specified in the applicable Service Agreement.
1.4Members of the Workday Group accepting liability have sufficient assets
The Workday Group will ensure that Workday Limited has sufficient assets to pay compensation for damages resulting from the breach of the BCR.
1.5The burden of proof lies with the Workday Group not the individual data subject
1.5.1Workday Limited will have the burden of proof that the member of the Workday Group outside of the EEA or the external sub-processor is not liable for any violation of the BCR which has resulted in the data subject claiming damages.
1.5.2Where the Controller can demonstrate that it suffered damage and establish facts which show it is likely that the damage has occurred because of the breach of the BCR, it will be for Workday Limited to prove that the member of the Workday Group outside of the EEA or the external sub-processor was not responsible for the breach of the BCR giving rise to those damages or that no such breach took place.
1.5.3If Workday Limited can prove that the member of the Workday Group outside the EEA or the external sub-processor is not responsible for the act, it may discharge itself from any responsibility/liability.
2.1Complaint handling process
The Workday Group has delegated the Chief Privacy Officer as the specific point of contact who can be reached at firstname.lastname@example.org in the event that data subjects contact the Workday Group directly. However, in accordance with the Service Agreement of the Workday Group with Controllers, the Workday Group will, without undue delay, forward complaints related to the processing of or access to Personal Data from data subjects to the respective Controller, provided that the data subject has given sufficient information for the Workday Group to identify the Controller.
The Workday Group will handle complaints from data subjects where the responsible Controller has disappeared factually or has ceased to exist in law or become insolvent. In such cases, and provided that the Workday Group still maintains the data subjects’ Personal Data (i.e., it has not been deleted following termination of the Service Agreement), these complaints shall be timely handled by the Workday Group’s Chief Privacy Officer or another clearly identified department or person who has an appropriate level of independence in the exercise of his/her functions.
If and when the conditions in this section are met, data subjects who contact the Workday Group at email@example.com will be informed where to complain, in which form, the timescale for the reply on the complaint, consequences in case of rejection of the complaint, consequences in case the complaint is considered as justified, and consequences if the data subject is not satisfied by the replies (right to lodge a claim before the competent court/supervisory authority). In the event that the Workday Group no longer maintains the Personal Data, the data subject will be informed accordingly.
3.1Duty to cooperate with supervisory authorities
All members of the Workday Group shall cooperate with, and accept to be audited by, the supervisory authorities competent for the relevant Controller and comply with applicable law and the advice of these supervisory authorities on any issue related to the BCR.
3.2Duty to cooperate with Controllers
The Workday Group and any sub-processor shall cooperate and assist Controllers to comply with data protection law, such as the Controller’s duty to respect the data subject rights or to handle their complaints, or to be in a position to reply to an investigation or inquiry from supervisory authorities, subject to the applicable Service Agreement. This shall be done in a reasonable time and to the extent reasonably possible and as agreed upon in the applicable Service Agreement.
4.1Transfers and material scope covered by the BCR
All members of the Workday Group listed on Schedule 1 have agreed to the BCR within the scope and for the types of data transfers specified in Article I of these BCR.
4.2Geographical scope of the BCR (nature of data, type of data subjects, countries)
The structure and contact details of the Workday Group and its individual members is specified in Schedule 1. It is up to the Controller to require that the BCR apply to (i) all Personal Data processed for processor activities and that are submitted to EU law (for instance, data has been transferred from the European Union), or to (ii) all processing of data processed for processor activities within the Workday Group whatever the origin of the data, subject to the terms of the Service Agreement.
The BCR include the following principles, applicable to any member of the Workday Group with respect to Personal Data and Controllers covered by the BCR in accordance with the applicable Service Agreement which addresses procedural, operational and commercial arrangements, such as compensation for additional services that a Controller may request as part of assistance with the Controller’s compliance obligations under these privacy principles and applicable law. The privacy principles describe obligations of a processor and sub-processor in the Workday Group as well as obligations of a Controller, i.e. a customer of the Workday Group. Controllers, i.e. customers of the Workday Group, are not directly bound by these principles (only members of the Workday Group are directly bound), but if a Controller agrees to transfer data to the Workday Group under a Service Agreement that refers to these BCR, then the Controller agrees also to its obligations under these BCR.
i)Transparency, fairness and lawfulness: The Workday Group and any applicable sub-processors will have a general duty to help and assist Controllers to comply with the law (for instance, to be transparent about sub-processor activities in order to allow the Controller to correctly inform the data subject).
ii)Purpose limitation: The Workday Group and any applicable sub-processors shall process Personal Data only on behalf of the Controller and in compliance with its instructions including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law to which the Workday Group or its sub-processor is subject. In such a case, the Workday Group or its sub-processor shall inform the Controller of that legal requirement before processing takes place, unless that law prohibits such information on important grounds of public interest (Art. 28-3-a GDPR). In other cases, if the Workday Group or its sub-processor cannot provide such compliance for whatever reasons, they will inform promptly the Controller of their inability to comply, in which case the Controller is entitled to suspend the transfer of data.
On the termination of the provision of data processing services, the Workday Group and its sub-processors shall, at the choice of the Controller and in accordance with the terms of the applicable Service Agreement, delete or return all Personal Data to the Controller (for example, by way of providing the Controller with administrative access to the databases of the Workday Group) and delete the copies thereof, unless legislation imposed upon them requires storage of the Personal Data. In that case, the Workday Group and its sub-processors will inform the Controller and warrant that they will safeguard the confidentiality of the Personal Data and will not actively process the Personal Data anymore, except as otherwise instructed by the Controller.
iii)Data quality: The Workday Group and any applicable sub-processors shall assist the Controller to comply with the law, in particular:
iv)Security: The Workday Group and any applicable sub-processors comply with the Workday Group’s security and organizational measures set forth in the Service Agreement to ensure a level of security appropriate to the risks presented by the processing as provided by Art. 32 GDPR. The Workday Group and its sub-processors will assist Controllers in ensuring compliance with the obligations as set out in Art. 32 to 36 GDPR taking into account the nature of processing and information available to the Workday Group and its sub-processors (Art. 28.3.f GDPR) in accordance with the Service Agreement. The Workday Group shall inform Controllers without undue delay after becoming aware of any Personal Data breach affecting the Personal Data processed on their behalf. In addition, the sub-processors of the Workday Group shall inform Workday Group without undue delay after becoming aware of any Personal Data breach affecting the Personal Data processed on their behalf.
v)Data subject rights: When asked by a Controller, the Workday Group and any applicable sub-processors will execute any appropriate technical and organizational measures, insofar as this is possible and as agreed in the Service Agreement, for the fulfillment of the Controller's obligations to respond to requests for exercising the data subjects rights as set out in Chapter III of the GDPR (Art. 28.3.e GDPR) (“Data Subject Request”) including by communicating any useful information in order to help the Controller to comply with the duty to respect the rights of the data subjects. If a data subject submits a Data Subject Request to the Workday Group or a sub-processor and the Workday Group can identify the Controller, the Workday Group shall transmit such requests to the responsible Controller. The Workday Group shall not respond to any such Data Subject Request except to confirm to the data subject that the request relates to that Controller.
vi)Sub-processing within the Group: Data may be sub-processed by other members of the Workday Group bound by the BCR only with the prior informed specific or general written authorization of the Controller. The Service Agreement will specify if a general prior authorization given at the beginning of the service would be sufficient or if a specific authorization will be required for each new sub-processor. If a general authorization is given, the Controller will be informed by Workday Group of any intended changes concerning the addition or replacement of a sub-processor in such a timely fashion that the Controller has the possibility to object to the change or to terminate the contract before the data are communicated to the new sub-processor.
vii)Onward transfers to external sub-processors: Data may be sub-processed by non-members of the Workday Group only with the prior informed specific or general written authorization of the Controller. If a general authorization is given, the Controller will be informed by the Workday Group of any intended changes concerning the addition or replacement of sub-processors in such a timely fashion that the Controller has the possibility to object to the change or to terminate the data processing by the Workday Group before the data are communicated to the new sub-processor.
Where the member of the Workday Group bound by the BCR subcontracts its obligations under the Service Agreement, with the authorization of the Controller, it shall do so only by way of a written contract or other legal act under Union or Member State law with the sub-processor which ensures that adequate protection is provided as set out in Art. 28, 29, 32, 45, 46 GDPR and that either (i) the same data protection obligations as set out in the Service Agreement between the Controller and the Workday Group and Sections 1.2, 1.3, 3 and 6 of these BCR are imposed on the sub-processor, or that (ii) other appropriate safeguards referred to in Art. 46.2 GDPR (including, without limitation, standard data protection clauses adopted by the European Commission per Art. 46.2.c GDPR) are properly implemented with the sub-processor, in particular providing, in either case, sufficient guarantees to implement appropriate technical and organization measures in such a manner that the processing will meet the requirements of the GDPR (Art. 28.4 GDPR).
5.1.2Accountability and other tools
The Workday Group shall, in accordance with the Service Agreement and the Customer Audit Program of the Workday Group, make available to Controllers all information necessary to demonstrate compliance with its obligations as provided by Article 28.3.h GDPR and allow for and contribute to audits, including inspections conducted by the respective Controller or another auditor mandated by the Controller. In addition, the Workday Group shall immediately inform a Controller if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
In order to demonstrate compliance with these BCR, members of the Workday Group maintain records of all categories of processing activities carried out on behalf of Controllers in line with the requirements as set out in Art. 30.2 GDPR.
The members of the Workday Group shall also assist the Controller in implementing appropriate technical and organizational measures to comply with data protection principles and facilitate compliance with the requirements set up by the BCR in practice such as data protection by design and by default (Art. 25 and 47.2.d GDPR) by implementing the controls set forth in Workday’s third-party audit reports.
5.2The list of entities bound by BCR
Schedule 1 lists the members of the Workday Group bound by the BCR.
5.3Transparency regarding conflicts between national legislation and the BCR
Where a member of the BCR has reasons to believe that the existing or future legislation applicable to it may prevent it from fulfilling the instructions received from the Controller or its obligations under the BCR or the Service Agreement, it will promptly notify this to (i) the Chief Privacy Officer of the Workday Group, who shall promptly inform the Controller, which is entitled to suspend the transfer of data and/or terminate the contract (or affected portions of a contract, as applicable and subject to the terms of the Service Agreement), and to (ii) the supervisory authority competent for the member of the Workday Group making the notification.
Any legally binding request for disclosure of the Personal Data by a law enforcement authority or a state security body shall be communicated to the Controller unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation. If communication with the Controller is prohibited, the member of the Workday Group shall inform its competent supervisory authority about the request, including information about the data requested, the requesting body and the legal basis for disclosure (unless otherwise prohibited).
If in specific cases the suspension and/or notification are prohibited, the requested member of the Workday Group will use its best efforts to obtain the right to waive this prohibition in order to communicate as much information as it can and as soon as possible, and be able to demonstrate that it did so.
In any case, transfers of Personal Data by a member of the Workday Group to any public authority cannot be massive, disproportionate and indiscriminate in a manner that would go beyond what is necessary in a democratic society.
Schedule 1: Members of the Workday Group bound by the BCR and respective contact details (as of November 14, 2018, as amended from time to time):
1.The Workday Group can be contacted via its Privacy, Ethics and Compliance team using the following contact details:
Dublin 7, Ireland
2.The individual members of the Workday Group and their respective contact details are set forth in the table below:
|1||Workday, Inc.||USA||6110 Stoneridge Mall Road
Pleasanton, CA 94588, USA
|2||Canada Workday ULC||Canada||1515 Douglas Street, Suite 600
Victoria, BC V8W 1P6
|3||Workday Asia Pacific Limited||Hong Kong||Suite 3301-04, 33/F Tower One
1 Matheson St., Causeway Bay
|4||Workday Australia Pty Ltd||Australia||Level 12
100 Pacific Highway
NSW 2060, Australia
|5||Workday Austria GmbH||Austria||Regus Opera,
Käerntner Ring 5-7, 7th floor
|6||Workday B.V.||Netherlands||Gustav Mahlerplein 82
1082 MA Amsterdam
|7||Workday (Beijing) Co. Ltd.||People’s Republic China||1133, 11/F Beijing Kerry Center North Tower
1 Gaung Hua Rd, Chaoyang District, Beijing
People's Republic of China 100020,
|8||Workday Belgium SPRL||Belgium||Spaces Mercier Square
Kardinaal Mercierplein 2
|9||Workday CZ s.r.o||Czech Republic||HubHub Palac ARA
5 Perlova Street
|10||Workday Denmark ApS||Denmark||Harsdorffs Hus Office Club,
Kongens Nytorv 5
1050 Copenhagen, Denmark
|11||Workday España SL||Spain||Paseo de la Castellana
259 C, 18th floor
|12||Workday Finland Oy||Finland||Mannerheiminaukio 1A,
|13||Workday France||France||7-11 boulevard Haussmann
|14||Workday Global, Inc.||USA||6110 Stoneridge Mall Road
Pleasanton, CA 94588, USA
|15||Workday GmbH||Germany||Grillparzerstr. 14
|16||Workday India Private Limited||India||Prudential House, 3rd Floor,
Hiranandani Gardens, Powai
Maharashtra Mumbai, 400076
|17||Workday International Limited||Ireland||6th Floor 2 Grand Canal Square
Dublin 2, Ireland
|18||Workday Italy S.r.l.||Italy||Bastioni di Porta Nuova
21 Milan 20121
|19||Workday K.K.||Japan||Shin-Aoyama Tokyu Building 7F
Minato-ku Tokyo 107-0062 Japan
|20||Workday Korea Limited||South Korea||14F Gangnam N Tower,
129 Teheran-ro, Gangnam-gu
Seoul 06133, South Korea
|21||Workday Limited||Ireland||Kings Building
Dublin 7, Ireland
|22||Workday Malaysia Sdn.Bhd.||Malaysia||2A Jalan Stesen Sentral 2
Kuala Lumpur 50470
|23||Workday Norway AS||Norway||House of Business
Henrik Ibsens gate 90
|24||Workday Polska sp. Z o.o.||Poland||HubHub
Al. Jerozolimskie 93
Warsaw, 02-001, Poland
|25||Workday Singapore Pte. Ltd.||Singapore||1 Wallich Street
#09-01 Guoco Tower
|26||Workday South Africa (Pty) Ltd||South Africa||9th Fl., 5th Street, Sandton
|27||Workday Sweden Aktiebolag||Sweden||Östra Järnvägsgatan 27, 9th floor
111 20 Stockholm
|28||Workday Switzerland GmbH||Switzerland||Bleicherweg 10
|29||Workday (NZ) Unlimited||New Zealand||Level 2
152 Fanshawe St,
Westhaven, Auckland 1010
|30||Workday (Thailand) Co., Ltd||Thailand||973 President Tower, 6th Floor
Ploenchit Road, Lumpini
Pathumwan, Bangkok 10330
|31||Workday (UK) Limited||United Kingdom||Finsbury Circus House, 3rd Floor
15 Finsbury Circus and 10 South Place
London, EC2M 7EB