Whether you are a prospective or an existing client of ADP, a vendor or any other business contact, a job applicant, a client employee or worker, a website user, an ADP associate or a contingent worker, you will receive information as to how ADP handles your personal data in the relevant ADP Privacy Statement that is made available to you.
When collecting your personal data, ADP is committed to respecting your choices regarding the processing of such data. We will process your data for the business purpose such data was collected. Under very limited circumstances as described in our Binding Corporate Rules, ADP may process your data for a legitimate secondary purpose that is closely related to the original purpose for which such data was collected. If you are a Client employee or worker, ADP will process your data in accordance with the instructions that we receive from our Clients.
We collect and use only the minimum personal data necessary to achieve the business purpose for which it was collected. When ADP processes your data, access is granted based on specific roles and job functions.
We perform data flow mapping and privacy assessments on our data processing activities, which enable us to hold an inventory of our processing activities.
ADP has developed Privacy by Design Policies, Standards and Guidelines to assist our Associates and Contingent Workers in using Privacy Enhancing Technologies (PETs), for privacy protection purpose, and in implementing the Seven Foundational Principles of Privacy by Design as adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010.
Our Privacy by Design (PbD) Policies, Standards and Guidelines set forth requirements for the development and implementation of ADP Products and Services throughout our entire product and services development life-cycles.
These requirements enable ADP to make our privacy guidance available upfront during the ideation phases of our products and services. Both Privacy and Security protections are enabled with our Privacy by Design strategy, classifying data at its point of collection through properly destroying that data at the end of its life-cycle. We are transparent with our users and regularly review and update our Privacy Policies. Our products and services enable users to exercise their privacy rights. We have embedded the foundational concepts of Privacy by Design into our products and services, including but not limited to data minimization, purpose specification, collection limitation and use, retention and access control.
Where reasonable or required by law, ADP will provide information that you may request regarding the data that ADP collected from you in accordance with our Binding Corporate Rules. When processing personal data on behalf of its Clients, ADP will provide assistance in addressing individuals’ rights requests, in accordance with applicable law and contractual agreement with our Clients. ADP is committed to provide you with a reasonable opportunity to examine your own personal data and to update it if it is incorrect.
ADP has implemented a Global Records Information Management (RIM) Policy, covering the appropriate retention, maintenance, and destruction of client information and company records.
ADP’s Global Security Organization maintains administrative, technical and physical controls to protect personal data entrusted to ADP. ADP’s incident response process is designed to ensure that any incidents involving your personal data are addressed, tracked and reported in a timely and effective manner and in accordance with ADP security policies, procedures, and legal requirements. When necessary, procedures for the notification of Clients, individuals and all other parties who may be impacted by the incident are initiated, and appropriate remedial actions are taken.
ADP’s vendors must meet our data security and privacy standards. Our vendor assurance process enables ADP to assess its vendors prior to entering into a contract with them. Our vendors are contractually required to comply with ADP’s privacy principles. We do not transfer personal data to third-party providers other than to perform ADP services.
ADP will comply with applicable laws in case of transfer of personal data across country borders. Where applicable, ADP shall also comply with its Binding Corporate Rules for Client Data Processing Services (the Processor Code) which provides the primary legal basis for transfers of personal data of our Clients’ employees from European locations to members of the ADP group located outside of the European Economic Area (EEA).
As part of ADP’s enterprise risk assessment and risk management activities, our Audit Committee of the Board of Directors oversees and reviews risk related to privacy.
ADP’s global privacy program is led by its Chief Privacy Officer and the Data Privacy and Governance Team in cooperation with representatives from all of ADP’s business units and functions, the ADP Privacy Stewards, the members of the ADP Legal department and Compliance professionals. Taking into account the sensitivity of the personal data, ADP Associates and contingent workers who access personal data are trained on the appropriate use and handling of personal data as it pertains to their job responsibilities.