Workday Privacy Statement
Effective: 18/08/2023
At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use and share that information.
If you’d like to know whether this Privacy Statement applies to you and your relationship with Workday, please see the “What does this Privacy Statement cover?” section below. To read the full privacy statement, view the “Privacy Statement” tab below.
Download/print a copy of this Privacy Statement
August 2023 Changes to This Privacy Statement
We added language regarding our reliance on the EU-U.S. Data Privacy Framework as a legal basis for transfers of personal information.
- About Workday Privacy
- Privacy Statement
What our Privacy Statement is about.
Before we share more about our privacy programme and practices, let’s make sure we are on the same page about the Workday business model and why it’s important to your privacy rights.
Workday is a leading provider of enterprise cloud applications for finance and human resources. This means Workday customers – companies, schools and governments – use our software applications to manage their workforces and/or finances.
While Workday has a range of software applications, our flagship products are our human capital management (HCM) and financial management applications. Our HCM applications allow customers to recruit, hire, train, manage and promote their workforce. Our financial management applications allow our customers to manage their finance processes, from record to report, procure to pay, and contract to cash.
To learn more about Workday products, visit our Product page.
We operate a Software-as-a-Service (SaaS) business model typically for enterprise customers, meaning we do not sell our customers’ users’ data or monetise that by selling advertising. Instead, we sell subscriptions to our services. Our customers control the data they put into our services and how it is used. How we use and disclose our customer representatives’ data is described in more detail below.
Some data protection laws in various jurisdictions distinguish between “controllers” and “processors” of personal information. While other jurisdictions may use different terminology, the concept typically remains the same. A controller decides why and how to process personal information. A processor only processes information on behalf of a controller based on the controller’s instruction; the processor does not make decisions about personal information. Workday may be either a controller or a processor, depending on the scenario.
This Privacy Statement applies when Workday is the data controller of your personal information (unless a different Workday privacy statement is displayed when we collect your personal information), and explains how Workday collects, uses and shares your personal information for its own purposes. For example, this Privacy Statement covers when you:
- Visit a Workday website that links to this Privacy Statement
- Interact with Workday as a representative of a company that has an account with Workday (e.g. you are our customer or our supplier)
- Create or use an account offered directly by Workday (as opposed to an account offered by our customers)
- Register for or attend a Workday marketing, learning or training event or webinar
- Provide us with feedback about our products or services
- Receive a sales or marketing communication from us, including emails or telephone calls
This Privacy Statement does not cover how we process personal information on behalf of our enterprise customers as a processor. If you are an employee, a student or a job applicant of an organisation that uses a Workday product or service and you have questions or concerns about the personal information your organisation holds in Workday about you (when Workday is a processor), please direct your request to that organisation. Workday cannot respond directly to your request.
If you are a Workday employee or job applicant or you visit a Workday facility, information about how we use and protect your information is communicated to you in a separate statement.
How we collect and use your personal information.
Workday collects and uses personal information for various reasons. When we do so, we will use it in accordance with applicable laws.
Some jurisdictions, including the European Economic Area (“EEA”), the United Kingdom (“UK”) and Switzerland, require a legal basis – a reason why Workday is legally allowed to collect and use your personal information.
Below, we describe (1) in what instances we collect your information, (2) the categories of information we collect in those instances, (3) our purposes for collection and (4) the legal bases for collection. If we need to collect other personal information from you, we will explain which information we need and why at the time we collect it.
Sometimes, we may ask you to provide personal information voluntarily: for example, we may ask you to provide your contact details to create an account with us, to subscribe to marketing communications from us and/or to submit inquiries to us. In some cases, we combine the information you provide.
When you request information from us. When you fill out a contact form or otherwise contact us to express interest in obtaining information about Workday or our services, we may ask you to provide us with your contact information such as name, business email, telephone number, company name, job level, functional role and address.
- Purpose and legal basis under data protection law: We process your personal information in reliance on our legitimate interests or your consent (where you have opted in to email marketing) to:
- Fulfil your request and communicate with you
- Provide you with information about our products, in accordance with your marketing preferences (including telemarketing calls and marketing emails)
If you are our customer. If you are a representative of a company that has an account with Workday, we collect your business contact information including your name, business email, telephone number and company name. If you contact Workday for support related to your organisation’s use of our products, services or events, we will also collect information about the reason for your inquiry and any other information you choose to provide to us.
- Purpose and legal basis under data protection law: We process your personal information in reliance on our legitimate interests or your consent (where you have opted in to email marketing) to:
- Communicate with you and fulfil your request for Workday support
- Manage your organisation’s account, including invoicing and other account-related issues
- Provide you with information about our products, in accordance with your marketing preferences (including telemarketing calls and marketing emails)
If you are our supplier. If you are a representative of a company that provides Workday with products or services, we collect your business contact information including your name, business email, telephone number and company name.
- Purpose and legal basis under data protection law: We process your personal information in reliance on our legitimate interests to:
- Manage your organisation’s account, including invoicing and other account-related issues
- Communicate with you and respond to your inquiries
If you are an end user of a Workday-owned account. Typically, when you use a Workday product through your employer or another Workday customer, your account is controlled and owned by that organisation. In some circumstances, you may register for an account directly with Workday rather than through your organisation – for example, if you register for an account to access Workday Community, or as a user of Workday Strategic Sourcing. In those cases, we collect the account registration information you give us (for example, your name and email) and your profile information (for example, your company name). In some cases, you may have the option to personalise your account with additional information such as a photo, a social media profile or other personal information. For services that require it, we also will collect authentication information, such as mobile number, email address or other unique verification identifiers. If you sign up for a Workday training or learning course covered by this Privacy Statement, we will collect the account registration information, as well as enrolment and attendance information (including when your registration is paid for by a Workday customer or partner). If applicable, we may also collect payment information directly from you.
- Purpose and legal basis under data protection law: We process your personal information to perform or enter contracts or terms of service with you, or if we do not have a contract directly with you, in reliance on our legitimate interests to:
- Manage your user account in accordance with the applicable terms of service
- Ensure that you can log in to use our services and access information you need securely and efficiently
- Deliver requested resources or services to you
If you register for events and webinars. When you register for an event or webinar, we may ask you to provide us with your contact information such as your name, business email, telephone number and company name; your health and safety information such as your emergency contact and your dietary preferences; and your billing information such as your billing name, billing address and credit card number. If you use a Workday event-related mobile application, we may also collect additional information from your device, such as your photos, contacts or geolocation data, in accordance with your device’s privacy settings.
- Purpose and legal basis under data protection law: We process your personal information with your consent (where you have opted in to email marketing), to perform or enter contracts or terms of service with you, or if we do not have a contract directly with you, in reliance on our legitimate interests to:
- Manage, plan and host the event, including to send related communications
- Improve our future events and our mobile application
- Improve or enhance your (or your organisation’s) experience interacting with Workday
- Provide you with information about our products, in accordance with your marketing preferences (including telemarketing calls and marketing emails)
If you participate in research with us or otherwise provide us with feedback. When you participate in or register for a Workday study, survey, panel or panel pool, or voluntarily submit certain information to us such as providing Workday with feedback about our products and services, we may ask for certain biographical or demographic information, such as your name, email address, contact information, time zone, location, company, employment status, tenure, role, job information, gender, age group and other information relevant to the study. For certain studies, we may also take photos, videos or audio recordings (with your permission and in accordance with applicable laws).
- Purpose and legal basis under data protection law: Where you have entered into a contract with us, we will process your personal information for the performance of such contract. If we do not have a contract directly with you, or otherwise obtain your consent, we rely on our legitimate interests to:
- Fulfil the purpose set out in the study or survey
- Improve your (or your organisation’s) experience interacting with Workday
- Identify the Workday research studies best suited to you based on your attributes and invite you to participate via email
- Identify potential product improvements or future product developments for the workforce
- Contextualise your feedback and experience with our products and services so that we can improve them
- Improve how we conduct research
If you participate in a sales call or online meeting with Workday. We may record sales phone calls and online meetings (including audio and video content where applicable) for training, quality assurance and administration purposes. This includes analysing the content of such calls and online meetings using AI-powered tools to gain better insights into our interactions with our customers and prospects. We will always notify you before a call will be recorded and will obtain your consent where required under applicable law.
- Purpose and legal basis under data protection law: We process your personal information with your consent where required under applicable law or in reliance on our legitimate interests to:
- Maintain high-quality sales calls and engagements with prospects and customers
- Provide training and coaching to our sales teams
- Generate automated call transcripts
- Keep our records up to date (for example, in relation to follow-up meetings, sales opportunities and updating customer contact details)
- Improve our sales processes and make our sales calls more impactful
We also collect certain information related to your use of our websites. In some jurisdictions in the United States and countries in the EEA, the UK and Switzerland, this information may be considered personal data under applicable data protection laws. We may combine this information with personal information provided by you. In particular, we collect the following personal information from you automatically:
When you access our websites or content. When you visit our websites, we collect information about your device and your usage. The information collected may include your IP address, device type, unique device identification numbers, browser type, broad geographic location (for example, country or city-level location based on your public IP address), performance and other usage and technical information. We also collect information about how you interact with our websites (for example, referring web page, pages visited, features used), emails, content or other features (for example, when you open a marketing email or click on an embedded link, or if you watch videos on our site or interact with/message using our chat function). Some of this information may be collected using cookies and similar tracking technology, as further explained in our Cookie Notice. We do not collect “sensitive personal information” as the term is defined by California law beyond what is necessary to provide your requested services. Accordingly, we do not provide a mechanism for you to request that we limit our use of sensitive personal information.
- Purpose and Legal Basis Under Data Protection Law: We process your personal information in reliance on our legitimate interests to:
- Better understand the visitors who come to our websites, where they come from, and what content on our website is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our websites to our visitors.
- Provide, operate and maintain our websites, including providing access to content you have requested and displaying country-specific information.
- Protect the security and prevent misuse of our websites and services by tracking use of our websites and services, verifying accounts and activity, investigating suspicious activity and enforcing our terms and policies.
When you use the Workday mobile application. When you use our mobile app, we collect certain information from your device such as your device make, model and memory. Our application will assign a unique identifier to your device to help us improve the performance of our applications. Workday does not use information collected from our mobile app for targeted advertising.
- Purpose and Legal Basis Under Data Protection Law: We process your personal information in reliance on our legitimate interests to:
- Detect crashes, undertake troubleshooting, and understand and improve end-user experience with our mobile applications
- Remotely enable or disable features within the mobile application
If you are an end user of a Workday product through a Workday customer. When you use our products and services through your employer or another Workday customer (for example, when using a Workday enterprise cloud application), we log certain systems usage information automatically. This information may include system-generated identifiers such as IP address, operating system type and version, whether service tasks and notifications complete, date and time stamps, and details about which of our products you are using. We do not identify you from this systems usage information unless your organisation first provides us with instructions to do so, and provides us with certain information about your end-user account. This may happen in the context of a customer support request (e.g. when you or your organisation ask us to help you resolve an issue you are having with our products and services).
- Purpose and legal basis under data protection law: To the extent our systems usage information is treated as “personal information” under applicable data protection laws, we process this personal information in reliance on our legitimate interests to:
- Provide and maintain the functionality of services and products you and/or your organisation request
- Assess and analyse your (and your organisation’s) experience interacting with Workday’s services
- Undertake research and development in light of this assessment in order to improve performance of the services
- Protect the security and prevent misuse of our services by investigating suspicious activity and enforcing our terms and policies
We also collect information about you from other sources including third parties, individuals at your organisation or publicly available sources. We may combine this information with personal information provided by you. Specifically, we collect personal information from the following other sources:
From third-party providers of business contact information. Workday may collect business contact information about you from other sources including the co-sponsors of events attended by Workday, third parties from whom we have purchased business contact information, and from publicly accessible websites, such as your company’s website, professional network services or press releases. Business contact information may include: first name, last name, business email, telephone number, company name, job level, functional role, business street address and online identifier, as well as previous employers and roles.
- Purpose and legal basis under data protection law: We process your personal information in reliance on our legitimate interests or with your consent (where you have opted in to email marketing) to:
- Provide you with information about our products, in accordance with your marketing preferences (including telemarketing calls and marketing emails)
- Understand our market and identify potential customer opportunities
From your organisation. We also may receive information about you from your organisation for the purposes of obtaining or providing services or to recommend individuals to participate in our research studies. For example, another individual at your organisation may provide us with your business contact information so that we can give you access to training materials purchased by your organisation, or to grant you certain administrative privileges. If your organisation is a Workday supplier, your organisation may also provide us with your name and email address so that we can contact you about the services your organisation supplies to us.
- Purpose and legal basis under data protection law: We process your personal information in reliance on our legitimate interests to:
- Communicate with you about the goods and services provided
- Manage your (or your company’s) account and provide the requested services to you or your company
Workday may share or make accessible your personal information to third parties as follows:
Workday Affiliates. Workday may disclose any of the categories of personal information described above to affiliates within the Workday group where necessary to fulfil a request you have submitted or for customer support, marketing, technical operations, event registration and account management purposes.
Service providers. Workday may disclose both personal information and the categories of personal information described above to third-party service providers or vendors contracted to provide services on our behalf (for example, IT and hosting, data analytics, event services, customer support, call recording, data enrichment, email fulfilment and payment services). These third-party service providers may use personal information we provide to them only as instructed by Workday.
Workday partners. When you participate in webinars, events, and other activities where Workday collaborates with third parties, we may disclose the information described under “if you register for events and webinars” above, such as your contact information and interests in these offerings or services to these approved third parties to communicate with you.
Your organisation. Where your organisation is a customer or potential customer of Workday, we may disclose your personal information to relevant people within your organisation. For example, we may share a list of individuals attending a Workday event, or disclose inquiries from end users that should be addressed directly by the organisation rather than Workday.
Advertising. When you visit our website, we may enable third parties to use cookies and other trackers to show you ads on third-party websites that are more relevant to you. Under some data protection laws, our disclosure of this information with third parties through cookies and other trackers for targeted advertising may be considered a “sale” or “share” of personal information. Please see our Cookie Notice for more information about the types of cookies we use or click “Cookie Preferences” (link located in the footer of our Website) to set your preferences and opt out of the sale or sharing (for targeted advertising) of your data. Workday does not have actual knowledge that it “sells” or “shares” the personal information of individuals under 16 years of age.
Additional disclosures: Workday may disclose data if we have a good-faith belief that such action is necessary to (a) conform to legal requirements or comply with legal processes; (b) protect and defend our rights or property; (c) enforce our website Terms and Conditions; and/or (d) act to protect the interests of our customers, users or others. If Workday goes through a business transition, such as a merger, acquisition by another company, or sale of all or a portion of our assets, your personal information may be among the assets transferred, provided that we inform the actual or potential buyer (or its agents and advisors) that it must use your personal information only for the purposes disclosed in this Privacy Statement. Workday may also ask for your consent to disclose your information to other unaffiliated third parties that are not described elsewhere in this statement.
We use technical and organisational measures that provide a level of security appropriate to the nature of the personal information and the risks that are presented by processing your personal information. However, the security of information transmitted through the internet can never be guaranteed. You are responsible for maintaining the security of your password or other form of authentication involved in accessing password-protected or secured resources.
Workday operates as a global business and complies with applicable legal requirements when we need to transfer, store or process your personal information in a country outside your jurisdiction.
We take appropriate safeguards to protect your privacy, your fundamental rights and freedoms, and the ability to exercise your rights. For example, if we transfer personal information from the EEA, the UK or Switzerland to another country such as the United States, we will implement an appropriate data transfer solution such as entering into “standard contractual clauses” approved by the European Commission or competent governmental authority (as applicable) with the data importer. Following the adequacy decision by the European Commission, Workday currently relies on the EU-U.S. Data Privacy Framework as a legal basis for transfers of personal information from the EU to the United States. For more information, see the Certifications subsection below or our Data Privacy Framework Notice here.
We retain your personal information for as long as we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements).
The criteria used to determine appropriate retention periods for personal information include:
- The length of time we have an ongoing business relationship with you
- The amount, nature and sensitivity of the personal information we process
- Whether we have a legal obligation to retain personal information or whether retaining personal information is necessary to resolve disputes, including the establishment, exercise or defence of legal claims
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
Data Privacy Framework.
Workday adheres to the principles of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Workday relies on the EU-U.S. DPF as a legal basis for transfers of personal information. To learn more, visit our Data Privacy Framework Notice here.
Workday will rely on the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF as a legal basis to transfer personal information from the UK and Switzerland once the applicable local authorities approve the Adequacy Decisions. In the meantime, Workday continues to rely on the SCCs for the purposes of the UK and Swiss data protection law. See more in International Data Transfers above.
APEC Cross-Border Privacy Rules System.
Workday’s privacy practices, described in this Privacy Statement, comply with the APEC Cross-Border Privacy Rules (CBPR) System. The APEC CBPR System provides a framework for organisations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.
Depending on where you are located and how you interact with Workday, you may have certain legal rights over the personal information we hold about you, subject to local privacy laws.
These may include the right, depending on your jurisdiction, to:
- Obtain access to your personal information that is being processed by us.
- Correct inaccurate personal information.
- Request the deletion of your personal information.
- Opt out of the sale or sharing of personal information for targeted advertising. Although this is a right in certain jurisdictions, Workday does not sell your personal information.
- Object to the processing of your personal information carried out on the basis of our legitimate interests in the EEA, UK and Switzerland, and ask us to restrict the processing of your personal information.
- Request the portability of your personal information in a structured, commonly used and machine-readable format.
- Withdraw your consent at any time, if we have collected and processed your personal information with your consent. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- Opt out of marketing communications sent by Workday.
- Lodge a complaint with a data protection supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence or the registered office of the controller.
Lodging a complaint.
You may lodge a complaint with a data protection authority such as the supervisory authority of your usual place of residence. A full list of EEA data protection authorities is available here. You can also lodge a complaint with the Irish Data Protection Commission, which is the competent supervisory authority for Workday Limited. Alternatively, you may request the details of your competent data protection authority by using the contact details at the bottom of this Privacy Statement.
Exercising your privacy rights.
Workday will not discriminate against you for exercising your rights. Workday does not make decisions based solely on automated processing that produces legal or similarly significant effects as part of the processing activities covered by this Privacy Statement. If your personal information has been submitted to us by or on behalf of a Workday customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable customer directly.
To exercise your rights with respect to information covered by this Privacy Statement, please contact us using the contact details at the bottom of this Privacy Statement or by submitting a request through our Request Portal. You must provide the information listed in the Request Portal so that Workday can verify your identity. Workday will take steps to verify your identity, including validating your name and the email you use when interacting with Workday. You may also authorise another person or third party to submit a request to exercise your rights by providing written permission in conjunction with the submission of the requested information or by giving the third party your power of attorney. We will acknowledge your request and provide a follow-up substantive response within a time period permitted by applicable law. In the event that Workday needs an extension to fulfil a request, we will notify you. If we deny your request, we will provide reasons for that denial.
You may opt out of the sale or sharing of your personal information for targeted advertising by clicking “Cookie Preferences” below or by implementing the Global Privacy Control (GPC). For instructions on how to download and use GPC, please visit https://globalprivacycontrol.org. See our Cookie Notice for more information.
If you reside in the EEA, the UK or Switzerland, Workday Limited in Ireland is the controller for your personal information, and Workday (UK) Limited is its representative in the UK.
For all other individuals, Workday, Inc. is the controller for your personal information.
If you have any questions about this Privacy Statement, or wish to exercise your rights, please submit your request through our Request Portal. You may also contact us at one of the mailing addresses below:
Workday, Inc. Attn.: Privacy 6110 Stoneridge Mall Road Pleasanton, CA 94588 USA |
|
Workday Limited Attn.: Privacy Ireland |
|
Workday (UK) Limited |
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily or you wish to appeal, please contact our US-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
This Privacy Statement may be amended or revised from time to time at the discretion of Workday. Changes to this Privacy Statement will be posted on the website and links to the Privacy Statement will indicate that the statement has been changed or updated. If we propose to make any material changes, we will provide notice on this page prior to the change becoming effective. We encourage you to periodically review this Privacy Statement for the latest information on our privacy practices.