Workday acts in two distinct roles: as a data controller when collecting your information through its own website and marketing, and as a data processor handling employee data on behalf of your employer. Which role applies determines where you must go to exercise your privacy rights.
This analysis describes what Workday's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
If you are an employee using Workday at work, your employer, not Workday, is typically the controller of your HR data, which means you may need to direct privacy requests to your employer rather than to Workday directly.
Interpretive note: The document was truncated before operative clauses were visible; the controller-processor distinction is inferred from Workday's known business model and the statement's general framing rather than from explicit document language.
This structural distinction affects where employees must go to access, correct, or delete their personal data. Employees whose HR data is processed through Workday may find that Workday is not the right contact for exercising their data rights, as those rights must be addressed through the employer who controls the data.
How other platforms handle this
Egnyte is a data controller with respect to personal data it collects from visitors to its website and through its marketing activities. Egnyte acts as a data processor with respect to the content and data that customers store within the Egnyte platform. In that capacity, Egnyte processes data on be...
When you visit a website built on Squarespace, Squarespace acts as a service provider or data processor, meaning that we process your information on behalf of the website owner. In this case, the website owner is responsible for the information they collect through their website and you should conta...
Mixpanel acts as a data processor on behalf of its customers (the controllers) when processing end user data through the Mixpanel analytics platform, and as a data controller with respect to data it collects about its own website visitors and account holders.
Monitoring
Workday has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"At Workday, we believe privacy is a fundamental right, regardless of where you live. When you connect with Workday, we understand you are trusting us to handle your personal information appropriately. That is why we are committed to transparency about how we collect, use, and share that information.— Excerpt from Workday's Workday Privacy Statement
(1) REGULATORY LANDSCAPE: GDPR Articles 4, 24, and 28 establish distinct obligations for controllers and processors. Where Workday acts as a processor, a compliant Data Processing Agreement must exist with each enterprise customer acting as controller. The ICO in the UK and EU data protection authorities are the primary enforcement bodies for these obligations. Where Workday acts as its own controller for marketing data, it must independently satisfy lawful basis, notice, and rights-fulfillment requirements. (2) GOVERNANCE EXPOSURE: High. The controller-processor split creates operational complexity for enterprise customers who must ensure their DPA with Workday covers all relevant processing activities, sub-processor disclosures, and data subject rights fulfillment workflows. Failures in this structure have historically attracted regulatory attention in the EU and UK. (3) JURISDICTION FLAGS: EU and UK customers face the highest exposure given GDPR and UK GDPR requirements for documented processor relationships. California customers should assess whether Workday qualifies as a service provider under CPRA, with corresponding contractual restrictions on data use. Healthcare-adjacent employers must assess whether any data flows implicate HIPAA business associate requirements. (4) CONTRACT AND VENDOR IMPLICATIONS: Enterprise procurement teams should verify that a current, GDPR-compliant DPA exists with Workday, that sub-processor lists are disclosed and auditable, and that Standard Contractual Clauses or equivalent transfer mechanisms are documented for cross-border flows. The DPA should explicitly address the scope of HR data categories including payroll, benefits, performance, and disciplinary records. (5) COMPLIANCE CONSIDERATIONS: Compliance teams should maintain a data mapping record distinguishing Workday's controller and processor activities, ensure employee privacy notices reference Workday's processing role, and establish an internal process for routing employee data subject access requests that involve Workday-hosted data.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
We read the privacy policies and terms of service of 38 AI platforms. Here is what they say about training, retention, arbitration, and liability.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
If you are an employee using Workday at work, your employer, not Workday, is typically the controller of your HR data, which means you may need to direct privacy requests to your employer rather than to Workday directly.
This structural distinction affects where employees must go to access, correct, or delete their personal data. Employees whose HR data is processed through Workday may find that Workday is not the right contact for exercising their data rights, as those rights must be addressed through the employer who controls the data.
ConductAtlas has identified this type of provision across 3 platforms. See the full comparison.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Workday.