EU-U.S. & Swiss-U.S. Privacy Shield Privacy Notice
Effective Date: April 8, 2019
Workday, Inc. (“Workday”) commits to subject to the Privacy Shield Principles all personal data that Workday receives from the European Economic Area ("EEA"), the United Kingdom and Switzerland in reliance on the respective EU-U.S. & Swiss-U.S. Privacy Shield. Information regarding the Privacy Shield framework and Workday’s certification can be found at: https://www.privacyshield.gov.
Types of personal data collected and purposes of collection and use
Workday collects personal data about EEA, UK and Swiss-based personnel that customers and their authorized users either enter into Workday’s Cloud-Based Enterprise Applications; or provide to Workday under a professional services engagement to be input into or accessed within the Service (collectively, “Services Personal Data”).
Workday acts as a data processor with respect to this data. Workday processes Services Personal Data to provide and support the Service for which the Customer has engaged Workday. Workday processes Services Personal Data as instructed by its Customers, and does not control or own the Services Personal Data it processes.
Commitment to subject to the Principles
We subject to the Principles all European, British and Swiss Services Personal Data that we receive from the EEA, the UK and Switzerland in reliance on the respective Privacy Shield. We also receive some data in reliance on other compliance mechanisms, including data processing agreements based on the EU Standard Contractual Clauses.
Type of third parties to which we disclose personal data and purposes
As a data processor, Workday will disclose Services Personal Data only as instructed by the data controller. In some cases we may share Services Personal Data with our subcontractors to provide the Workday service to our Customers. If Workday goes through a business transition, such as a merger, acquisition by another company or sale of all or a portion of its assets. In all cases, Services Personal Data may only be transferred in accordance with the Customer agreement.
Requirement to disclose
In addition, Workday may be required to disclose Services Personal Data in special cases when we have a good faith belief that such action is necessary to conform to legal requirements or to respond to lawful requests by public authorities, including to meet national security or law enforcement requirements. Workday will notify Customer of such request unless prohibited by law.
Right to access
Where Workday is a data processor, individuals who seek access or who seek to correct, amend or delete inaccurate Services Personal Data, should contact the Workday Customer (the data controller). In some instances, the Customer may have enabled the individual to perform these updates themselves through the Workday Service. If the Customer requests Workday remove the Services Personal Data to comply with data protection regulations, Workday will respond to the Customer’s request within 30 days.
Choices and means
Workday retains Services Personal Data according to the timeframes set forth in the relevant Customer agreement. Individuals who would like to request that their personal data not be used for specific purposes or disclosed should contact the Workday Customer (the data controller).
Independent dispute resolution body
If you are located in the EEA, UK or Switzerland and Workday has not been able to satisfactorily resolve your question or complaint regarding our privacy practices, you may raise your concern to the attention of your data protection authorities (“DPAs”) or the Swiss Federal Data Protection and Information Commissioner, as applicable. The DPAs or the Commissioner will establish a panel to investigate and resolve complaints brought under the Privacy Shield and Workday will comply with the advice of this panel or Commissioner, as applicable with regard to data transferred from the EEA, the UK and Switzerland, as applicable. Furthermore, Workday will comply with the advice given by DPAs and take necessary steps to remediate any non-compliance with the Privacy Shield Principles.
Investigatory and enforcement powers of the FTC
Workday is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. Workday also is committed to cooperating with EEA, UK and Swiss data protection authorities.
If you are located in the EEA, the UK or Switzerland and have exhausted all other means to resolve your concern regarding a potential violation of Workday’s obligations under the Privacy Shield Principles, you may seek resolution via binding arbitration. For additional information about the arbitration process please see Annex I of the Privacy Shield: https://www.privacyshield.gov/article?id=ANNEX-I-introduction.
If a third party service provider providing services on Workday’s behalf processes personal data from the EEA, the UK or Switzerland in a manner inconsistent with the Privacy Shield Principles, Workday will be liable unless we can prove that we are not responsible for the event giving rise to the damages.
Inquiries or Complaints
Please refer any inquiries or complaints regarding Workday’s Privacy Practices to firstname.lastname@example.org or by regular mail addressed to:
6110 Stoneridge Mall Road
Pleasanton, CA 94588
You can also contact our EEA-based subsidiary, Workday Limited, with inquiries or complaints via regular mail addressed to: