The policy states that ADP processes client employee HR, payroll, and benefits data as a data processor acting under employer instruction, and directs employees to contact their employer to exercise data rights rather than contacting ADP.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that the employing organization, not ADP, bears the primary data controller obligations for employee data processed through ADP's platforms, creating a structural redirection of individual data subject rights requests and determining which entity is accountable under GDPR and equivalent frameworks.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Under this clause, employees whose payroll, tax, benefits, or HR data is processed through ADP cannot direct access, correction, or deletion requests to ADP and must instead contact their employer, who retains controller responsibility for determining how that data is used and disclosed.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"ADP acts as a data processor for the personal data of our clients' employees. This means that ADP processes personal data on behalf of our clients (the data controllers) and in accordance with their instructions. If you are an employee of one of our clients and would like to exercise your data protection rights or have questions about how your data is being used, please contact your employer directly.— Excerpt from ADP's ADP Privacy Statement
1) REGULATORY LANDSCAPE: This provision engages GDPR Article 4 (definitions of controller and processor), Article 28 (processor obligations), and Articles 15-22 (data subject rights). The applicable enforcement authority is the EU supervisory authority with jurisdiction over ADP's EU establishment, as well as the UK ICO for UK data subjects. The characterization of ADP as a processor does not eliminate ADP's obligations under GDPR Article 28, including maintaining processor agreements, restricting sub-processors, and cooperating on data subject rights requests received in error. 2) GOVERNANCE EXPOSURE: High. The controller-processor split creates significant compliance exposure for ADP client organizations, who must ensure their data processing agreements with ADP satisfy GDPR Article 28 requirements. Clients that fail to maintain adequate DPAs with ADP may face regulatory exposure in the EU and UK. ADP's own exposure relates to its obligation to redirect data subject requests to the correct controller and to assist controllers in fulfilling those requests. 3) JURISDICTION FLAGS: EU and UK users have the highest exposure given GDPR and UK GDPR data subject rights frameworks. California employees may have separate rights under CCPA as applicable to employment data, though CCPA exemptions for employee data have historically been subject to legislative change and should be evaluated under current California law. Illinois BIPA may be implicated if ADP processes biometric data (such as time-and-attendance biometric records) for client employers. 4) CONTRACT AND VENDOR IMPLICATIONS: Organizations contracting with ADP should verify that a GDPR-compliant Data Processing Agreement is in place, covering sub-processor lists, audit rights, breach notification timelines (GDPR Article 33 requires 72-hour notification to supervisory authorities), and obligations to assist with data subject rights. The DPA should also address whether ADP's sub-processors are disclosed and whether client consent is required before ADP engages new sub-processors. 5) COMPLIANCE CONSIDERATIONS: ADP client organizations should audit their employee privacy notices to confirm that ADP is disclosed as a data processor and that the categories of data transferred to ADP are accurately described. HR and legal teams should confirm that DPAs with ADP are current and that any changes to ADP's sub-processor list trigger a review obligation. Organizations should also establish an internal process for receiving and forwarding data subject rights requests that arrive directly addressed to ADP.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that the employing organization, not ADP, bears the primary data controller obligations for employee data processed through ADP's platforms, creating a structural redirection of individual data subject rights requests and determining which entity is accountable under GDPR and equivalent frameworks.
Under this clause, employees whose payroll, tax, benefits, or HR data is processed through ADP cannot direct access, correction, or deletion requests to ADP and must instead contact their employer, who retains controller responsibility for determining how that data is used and disclosed.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.