PRIVACY AT WORKDAY
We’re committed to protecting your privacy.
At Workday, we protect your personal data and help you meet your data privacy requirements. We’re transparent about our privacy practices and provide valuable resources about privacy obligations.
Our privacy principles.
We’re committed to following three privacy principles that reflect our core values:
We put privacy first.
We innovate responsibly.
We safeguard fairness and trust.
These privacy principles drive how we train our employees, how we design and build products, and ultimately, how we process personal data.
Learn more about the Workday Privacy Program.
Privacy protections have been a fundamental component of our services from the beginning. We embed privacy into our people, processes, and technology, and our configurable privacy tools help customers meet complex privacy needs.
We embrace the concept of privacy by design. We understand that privacy requirements may differ based on industry, geography, and approach. To help you meet your obligations, Workday products include configurable privacy tools.
Workday is a foundational supporter of the International Association of Privacy Professionals (IAPP) AI Governance Center. The IAPP AI Governance Center aims to ensure AI systems are developed, integrated, and deployed in line with emerging AI laws and policies—in ways customers can trust.
A comprehensive compliance program underpins our privacy practices. We demonstrate how we protect your data through our robust third-party audits and certifications, and are often among the first to receive them.
“At Sun Life, the strength of our ongoing partnership with Workday really comes down to trust.”
—Senior Vice President, Global Talent
Global data privacy.
Workday recognizes privacy as a fundamental human right and supports the free flow of data. As the focus on privacy grows around the world, you need a partner to support your organization as data protection issues become more complex.
At Workday, you can rest assured that we’re committed to staying on top of global privacy standards. Using our core principles as our guide, we develop our products, business practices, and customer agreements in accordance with global data privacy requirements.
We also monitor changing regulations and guidance that supervisory authorities issue. And we contractually commit to comply with all laws applicable to Workday as a data processor, including data privacy laws.
Instead of chasing down your vendors to address the latest privacy laws, we make it easy to use Workday for your global workforce. We identify opportunities to help our customers with cross-border data transfers. Whether it’s being certified under the EU-U.S. Data Privacy Framework, receiving approval for our Processor Binding Corporate Rules (BCRs), or being the first company to receive approval for the APEC Privacy Rules for Processors, we find innovative ways to help you with your transfers. Our Master Subscription Agreement (MSA) includes the European Commission’s Standard Contractual Clauses (SCC), which enable the transfer of personal data from the European Economic Area to the United States.
We partner with our global customers as you conduct any necessary Transfer Impact Assessments (TIA), prior to transferring personal data to third-party countries. We proactively share information, such as FAQs and whitepapers, to help you navigate these assessments.
Data privacy regulations and laws vary across regions and countries. We closely monitor evolving data protection requirements in countries where we do business. Based on our analysis, we revisit and revise our administrative, technical, and operational practices.
Data privacy requirements also vary by company, as they depend on a company’s industry, the types of personal data collected, policy commitments, and any relevant internal compliance processes. We’re ready to help you understand how our program supports your compliance needs.
The EU-U.S. Data Privacy Framework (DPF) establishes a valid mechanism for data transfers from the EU to the U.S. in compliance with the transfer provisions of the GDPR. The DPF certification can be verified by inspecting the official Data Privacy Framework List, which is the single source of truth. We have also adhered to the UK extension.
Workday was the first cloud service provider to declare adherence to the EU Cloud Code of Conduct (CCoC), which consists of a set of requirements that enable cloud service providers (CSPs) to demonstrate their capability to comply with GDPR. Annual reviews take place by the independent monitoring body. Verify Workday’s adherence to the CCoC.
Read the European Union and United Kingdom Privacy Overview datasheet.
Additional resources for customers are available on Workday Community:
Workday strongly supports federal privacy laws in the United States, and we stay up to date on emerging state laws. Currently, privacy requirements within the U.S. are subject to state and sector-specific legal regimes.
Workday certifies to the Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework principles. Read more about our TRUSTe verification status to the Data Privacy Framework.
We also provide information to help support your compliance with the Health Information Portability Accountability Act (HIPAA).
We closely follow laws across the region, such as Canada’s PIPEDA, Mexico’s Federal Data Privacy Law, or Argentina’s Personal Data Protection Act, and provide resources to our customers to help them meet their privacy needs across the Americas.
Read the Canada and United States Privacy Overview datasheet.
Additional resources on state privacy laws are available on Workday Community:
Workday is confident we can support our customers in APJ with their data protection requirements. We closely monitor evolving data protection requirements in countries where our customers do business, including China, and provide information for changing compliance needs. We were one of the first companies to be certified to the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules (APEC CBPR) in March 2014, and the first to be certified for Privacy Rules for Processors (APEC PRP) in September 2018. The APEC certifications are a voluntary set of privacy standards to facilitate data transfers among APEC economies. We have received a third-party certification from TRUSTe, which is the APEC Accountability Agent for the United States.
Read the Asia-Pacific and Japan Privacy Overview datasheet.
Additional resources for customers are available on Workday Community:
Our commitment to our customers.
We strive to be transparent with our customers about how your data will be safeguarded and processed by Workday. Workday deeply invests in certifying to leading industry standards and frameworks so our customers can easily verify our privacy practices. Learn more about our complete compliance program.
Know how your data is protected. Workday describes our security and privacy obligations in the Workday Master Subscription Agreement (MSA). We provide a warranty for compliance with all applicable laws, including data privacy, international communications, and the transmission of personal data. Our MSA includes our Universal Data Processing Exhibit (UDPE), providing a single set of privacy terms for all Workday software-as-a-service as well as any professional services we deliver. The UDPE harmonizes the data processing terms across our various offerings and provides our customers a robust and future-proofed set of terms. Read our FAQ about the Workday MSA and UDPE.
We hold our subprocessors to rigorous standards to protect privacy and personal data. Workday has processes in place designed to verify that subprocessors have implemented appropriate technical and organizational measures to safeguard privacy. See the list of Workday-authorized subprocessors for Workday SaaS applications and for professional services.
We respect our customers’ instructions related to the personal data they enter into our services. Workday will not disclose customers’ data in response to a government request unless required by law. We believe that any government request for data should be directed to the customer who owns and controls that data. When contacted by a government entity, Workday will redirect the agency to make the request directly to the relevant customer. Workday will notify the relevant customer of the request unless legally prohibited from doing so.
We will challenge any government request that is not valid and lawful, or does not comply with all applicable legal and statutory safeguards. Further information about Workday policies and procedures for government requests is available in our Transparency Report and on Workday Community.
Get the power to adapt.