When your employer uses ADP for payroll or HR, ADP follows your employer's instructions for handling your data, and your employer is legally responsible for most data decisions. If you want to know how your data is used or want to change it, you generally need to ask your employer, not ADP.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision determines who you can hold accountable for your data. For most employees, ADP is not the primary point of contact for data rights, which can make exercising those rights slower or more complex.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Employees whose companies use ADP for payroll or HR may find that ADP redirects their requests to their employer, meaning accessing, correcting, or deleting payroll and benefits data requires going through your employer's HR department rather than contacting ADP directly.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We may display advertisements on our Services and those advertisements may be targeted to your interests based on your personal information. We may share your personal information with advertising partners for interest-based advertising purposes. You may opt out of interest-based advertising by visi...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"When ADP provides services to Clients, ADP typically acts as a data processor, processing personal data on behalf of our Clients and under their instructions. In this situation, Client is the data controller and is responsible for compliance with applicable data protection laws that apply to the collection and processing of their employees' personal data. ADP's processing of such data is governed by our contracts with Clients. If you are an employee or associate of one of our Clients, please contact your employer regarding ADP's use of your personal data.— Excerpt from ADP's ADP Privacy Statement
REGULATORY LANDSCAPE: This provision directly engages GDPR Articles 4(7) and 4(8) defining controller and processor roles, and Article 28 requiring a written data processing agreement between controller and processor. The applicable enforcement authorities are EU national data protection authorities and the UK ICO. The allocation of responsibility to the employer-client as controller does not fully eliminate ADP's compliance obligations as a processor, including security, sub-processor management, and breach notification duties. GOVERNANCE EXPOSURE: High. The dual-role structure creates compliance complexity because ADP's obligations to data subjects differ significantly depending on context. If ADP inadvertently acts as a controller in situations it characterizes as processor engagements, or if employer-clients have inadequate DPAs, both parties face regulatory exposure. The redirection of individual rights requests to employers may not satisfy regulatory expectations if employers are unresponsive or if ADP cannot demonstrate a compliant DPA is in place. JURISDICTION FLAGS: EU and UK jurisdictions create the highest exposure given GDPR and UK GDPR Article 28 requirements for documented DPAs. California creates additional exposure under CCPA's service provider framework, which similarly requires contractual restrictions on downstream data use. Illinois BIPA may apply independently of this controller/processor distinction for biometric data. CONTRACT AND VENDOR IMPLICATIONS: Employer-clients procuring ADP services must confirm that their master service agreements include a compliant data processing addendum. Procurement teams should audit whether ADP's standard DPA covers all relevant processing activities, sub-processors, and transfer mechanisms. The policy's redirection of employee rights to employers means HR teams must have processes to handle these requests. COMPLIANCE CONSIDERATIONS: Legal teams should map which ADP processing activities fall under controller versus processor roles for their organization. Organizations should verify that ADP provides timely sub-processor change notifications as required under GDPR Article 28(2). HR policy updates may be needed to route employee data requests appropriately.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision determines who you can hold accountable for your data. For most employees, ADP is not the primary point of contact for data rights, which can make exercising those rights slower or more complex.
Employees whose companies use ADP for payroll or HR may find that ADP redirects their requests to their employer, meaning accessing, correcting, or deleting payroll and benefits data requires going through your employer's HR department rather than contacting ADP directly.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.