At Workday, privacy protections have been a fundamental component of our services since day one. Our commitment to protecting our customers’ data isn’t limited by a geographical border or region, and extends to ensure we keep pace with—and are often the first to certify to—global privacy standards.
Today, a significant update regarding the validity of data transfer mechanisms was announced by the Court of Justice of the European Union (CJEU) as a result of what has become known as the “Schrems II” case.
The outcome will have little practical impact on Workday customers. While companies may no longer use Privacy Shield as a data transfer mechanism for personal data from the European Economic Area to the United States, Workday employs other valid data transfer mechanisms not affected by today’s ruling. And as a privacy leader, we will continue to evolve and offer new data transfer mechanisms to customers as they become available.
We know this shift might raise additional questions from our customers who share our commitment to upholding the highest levels of data protection. To help provide clarity on what this ruling means, and what to expect from Workday in our ongoing commitment to data privacy protections, we wanted to share a brief FAQ:
Bottom line, our customers can continue to use Workday for processing personal data worldwide. We offer customers a number of data transfer mechanisms to legalize transfers of personal data from the European Economic Area to the United States. Especially given the types of data Workday processes for our customers, we are confident that we can continue to comply with the requirements of EU law.
Specifically, Workday offers the European Commission’s Standard Contractual Clauses, which the CJEU today ruled remain a valid lawful data transfer mechanism.
In addition, we’ve obtained approval from EU data protection supervisory authorities for global Processor Binding Corporate Rules (BCRs), which is a detailed code of conduct that governs the processing of personal data within a multinational company. For customers not yet leveraging the Standard Contractual Clauses or Workday BCRs, we have amendments available to incorporate them into data processing terms as additional transfer mechanisms.
Yes, we’re continually evaluating new transfer mechanisms as they become available. For example, Workday was first to adhere to the EU Cloud Code of Conduct, and we continue to pursue similar opportunities to demonstrate global compliance with the most stringent standards. And we are confident that the EU and U.S. will quickly work to put in place a replacement for Privacy Shield.
The free flow of data across borders—including data transfers from Europe to the U.S—is critical to individual businesses and the greater economy. We meet regularly with officials on both sides of the Atlantic to talk about the economic importance of data transfers and the benefits they provide for cloud computing.
Through our participation in the Privacy Shield review process two years in a row, we demonstrated to the European Commission the thoroughness of our efforts. We will continue to promote the free flow of data through our work with both the European Commission and the United States government.
We realize the topic of data privacy and cross-border data flows are complex ones to tackle, but we’re here to help. The most important thing to know is that Workday will continue to prioritize our customers—including their data, privacy, and related processes—in order to help support continued compliance with related rules and regulations.