The policy directs individuals wishing to exercise data protection rights to contact information provided in regional supplements, rather than providing a single global contact point in the main policy text.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that the procedural mechanism for exercising GDPR, CCPA, and other data subject rights is distributed across jurisdiction-specific supplements rather than centralized, which requires individuals to identify and access the correct regional notice before initiating a rights request.
Interpretive note: The specific contact mechanisms, response timelines, and verification requirements for each regional supplement are not reproduced in the document text provided and must be assessed from the individual regional notices.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Under this clause, individuals who wish to access, correct, delete, or restrict their personal data must locate and use the contact mechanism in the regional supplement applicable to their jurisdiction, and employees of ADP client organizations are additionally required to direct requests to their employer rather than to ADP.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"If you would like to exercise any of your data protection rights, or if you have questions or concerns about this Privacy Statement or ADP's privacy practices, please contact us using the contact information provided in the applicable regional supplement.— Excerpt from ADP's ADP Privacy Statement
1) REGULATORY LANDSCAPE: This provision engages GDPR Articles 15-22 (data subject rights including access, rectification, erasure, restriction, portability, and objection), CCPA/CPRA rights for California residents, and equivalent rights frameworks in Canada, Australia, and other jurisdictions where ADP operates. Each jurisdiction's framework specifies response timelines (GDPR requires response within one month, extendable to three months for complex requests) and the modalities for submitting requests. 2) GOVERNANCE EXPOSURE: Medium. The distributed regional supplement structure creates a risk that individuals cannot readily identify the correct contact point, which may result in delayed or missed rights request responses. GDPR supervisory authorities have sanctioned organizations for inadequate data subject rights response procedures, and the burden of establishing a functional request intake process is on ADP as controller. 3) JURISDICTION FLAGS: EU and UK data subjects have the most defined rights framework with specific statutory response deadlines. California residents have CPRA rights with CPPA-regulated response timelines. Canadian residents are subject to PIPEDA and provincial privacy laws with their own access request frameworks. The adequacy of ADP's regional supplement network in covering all jurisdictions where ADP operates should be verified. 4) CONTRACT AND VENDOR IMPLICATIONS: ADP client organizations should confirm that their data processing agreements with ADP include provisions requiring ADP to assist with data subject rights requests received by the client for data processed by ADP. GDPR Article 28(3)(e) requires that processors assist controllers in responding to data subject rights requests. 5) COMPLIANCE CONSIDERATIONS: Legal teams should audit the response process for data subject rights requests across each regional supplement to confirm that intake, tracking, verification, and response procedures meet applicable statutory timelines. Organizations should also verify that ADP's process for handling misdirected requests (requests from employees that arrive at ADP rather than the employer) includes a timely forwarding or notification mechanism.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that the procedural mechanism for exercising GDPR, CCPA, and other data subject rights is distributed across jurisdiction-specific supplements rather than centralized, which requires individuals to identify and access the correct regional notice before initiating a rights request.
Under this clause, individuals who wish to access, correct, delete, or restrict their personal data must locate and use the contact mechanism in the regional supplement applicable to their jurisdiction, and employees of ADP client organizations are additionally required to direct requests to their employer rather than to ADP.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.