Protecting Workday Customers’ Privacy Now and in the Future: Model Clauses and the Privacy Shield

The Privacy Shield, announced in February by the European Commission and the U.S. government, aims to create a new framework for transatlantic transfers of personal data and to resolve the commercial uncertainty created by the October 2015 European Court of Justice ruling invalidating the Safe Harbor. The Privacy Shield agreement — the product of months of intense collaboration between the European Commission and the U.S. government — is designed to protect data flows, the lifeblood of the transatlantic economy and the European Union’s Digital Single Market.

The group of EU Member State data protection authorities known as the Article 29 Working Party issued its advisory opinion on the Privacy Shield on April 13, welcoming it as an improvement over the Safe Harbor but also recommending additional modifications. Some commentators have seen this opinion as an attack on the agreement, however Workday welcomes the Article 29 Working Group’s opinion and the improvements it can bring to the Privacy Shield, in both the short and long term, especially in relation to the inception of the EU’s General Data Protection Regulation.

Workday agrees that the Privacy Shield provides major improvements over the Safe Harbor. We firmly believe those necessary improvements can be achieved as regulators, data controllers, and data processors on both sides of the Atlantic implement the Privacy Shield and find opportunities to fine tune its protections. We urge the US and European Commission to implement the Privacy Shield as soon as possible, and, like the Commission, hope it can enter into effect in June.

We welcome the Article 29 Working Group’s efforts to keep valid and adequate tools for international data transfers in effect. The Workday approach is to cooperate with our customers and ensure that their personal data is transferred with adequate protections that can be enforced by EU data protection authorities in an effective and harmonised manner.

Workday provided customers with an immediate solution for continuing their transatlantic data transfers in a legally compliant manner following the European Court of Justice ruling invalidating the Safe Harbor. Workday has always included Standard Contractual Clauses (SCCs) in its Data Protection Agreement. The SCCs remain a standard and accepted way to transfer personal data from the EU.

As we have previously shared, protecting and securing our customers’ data is fundamentally important to Workday, and we’ve built our business on key security and privacy concepts:

• Our customers own and control their data. Each customer determines what data to enter and configures the applications and business processes to best safeguard the privacy of personal data. We process the data for customers but do not monetize personal data or otherwise use it for our own purposes.
• Data is encrypted in our persistent data store. Workday encrypts every attribute value in the application before it is stored in the database. All customer data in the persistent layer is encrypted and accessed only by the application server.
• We are transparent about where and how customer data is processed. Customers have visibility to our security and privacy controls through third-party audits (SOC-1 and SOC-2), ISO (27001 and 27018), and TRUSTe Enterprise certifications, as well as our Customer Audit Program.

We are committed to offering our customers flexible business practices, such as Workday’s EU Support Policy, the broadest range of data transfer protocols, and the highest levels of privacy protection available. As part of our commitment, we look forward to the opportunity to certify compliance with the Privacy Shield as soon as we can practically do so.

We will continue working with legislators, regulators, our customers and industry groups on both sides of the Atlantic to ensure that laws regulating privacy and security are robust, fair, and equitable. We are ready to provide our customers with new transfer frameworks and regulatory solutions so they continue to enjoy the highest possible levels of security, data protection and privacy so they can continue to manage their businesses with Workday.