The policy states that ADP processes payroll, benefits, HR, and tax data belonging to client employees in its capacity as a data processor, acting under the instruction of the employing organization as data controller.
This analysis describes what ADP's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity in some jurisdictions and that trigger specific regulatory obligations regarding accuracy, retention, and security.
ADP deleted the cookie preference management tool that previously allowed users to understand and control which cookies were placed on their devices, including functional, analytics, and advertising cookies. The removal eliminates the transparency mechanism through which users could consent to or opt out of different cookie categories. The practical effect depends on whether ADP has replaced this functionality elsewhere or whether cookies continue to be placed without equivalent granular user control.
View change record →Under this clause, personal data including salary, tax identifiers, benefits enrollment, and HR records of employees is processed by ADP under the instruction of their employer; the accuracy, retention, and security of this data are subject to both the employer's controller obligations and ADP's processor obligations under applicable law.
How other platforms handle this
At Ledger, earning and maintaining our users' trust is a top priority. That's why we are deeply committed not only to protecting your privacy and securing your personal data, but also to being fully transparent about how we handle it.
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
We use information to enhance the quality, reliability, and/or accuracy of our AI Features by creating, developing, training, testing, improving, and maintaining AI and ML models run by Strava or our service providers. We use aggregated, de-identified data for this purpose. We also use personal info...
Monitoring
ADP has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"ADP processes personal data related to employees of our clients, including payroll, benefits, human resources, tax, and related data, as a data processor on behalf of our clients.— Excerpt from ADP's ADP Privacy Statement
1) REGULATORY LANDSCAPE: Payroll, tax, and benefits data implicates multiple regulatory frameworks depending on jurisdiction: IRS and state tax authority regulations in the US regarding payroll data accuracy and retention; ERISA for benefits data where applicable; HIPAA for health benefits data if ADP processes health plan enrollment information; GDPR for EU employee data; and various state payroll and wage laws. HHS OCR has jurisdiction if ADP processes protected health information in connection with benefits administration. 2) GOVERNANCE EXPOSURE: High. The breadth of sensitive personal data categories processed (payroll, tax, benefits, HR records) across a global employee population creates significant regulatory exposure in multiple jurisdictions. A data breach or unauthorized disclosure of payroll or tax data would trigger mandatory breach notification obligations under GDPR Article 33, state breach notification laws, and potentially IRS notification requirements. 3) JURISDICTION FLAGS: Illinois BIPA may be implicated if ADP's time-and-attendance products process biometric data for Illinois employees. New York SHIELD Act and other state data protection laws impose security requirements for payroll and tax data. EU and UK GDPR impose data minimization and purpose limitation requirements on payroll processing. Canada's PIPEDA and provincial laws govern Canadian employee payroll data. 4) CONTRACT AND VENDOR IMPLICATIONS: ADP client organizations should ensure that data processing agreements with ADP specifically enumerate the categories of payroll and HR data processed, the permitted processing purposes, sub-processor restrictions, security standards, and breach notification timelines. ERISA fiduciary obligations may be relevant if ADP processes retirement plan data. HIPAA Business Associate Agreements are required if ADP processes protected health information for benefits administration. 5) COMPLIANCE CONSIDERATIONS: Legal and compliance teams at ADP client organizations should conduct data mapping exercises to identify all categories of employee data transferred to ADP and confirm that applicable DPAs, BAAs, and security agreements are in place. Retention schedules for payroll and tax data should be aligned across ADP's processing environment and the employer's own records to meet statutory retention requirements. Security incident response plans should address ADP as a processor and clarify notification chain timelines.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision identifies the specific categories of personal data processed by ADP as a processor, which include payroll, tax, benefits, and HR records, categories that carry heightened sensitivity in some jurisdictions and that trigger specific regulatory obligations regarding accuracy, retention, and security.
Under this clause, personal data including salary, tax identifiers, benefits enrollment, and HR records of employees is processed by ADP under the instruction of their employer; the accuracy, retention, and security of this data are subject to both the employer's controller obligations and ADP's processor obligations under applicable law.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by ADP.