Privacy at ADP

Effective Date: May 8, 2018

Last Updated: December 3, 2018

As a Human Capital Management (HCM) provider, ADP processes a vast amount of personal data. We process the personal data of our Clients’ employees on behalf of our Clients, and of our business contacts. In order to provide the highest level of data protection, ADP has adopted Binding Corporate Rules (BCR) for processing Client employee data and business contact data. In addition, ADP has implemented BCR for processing personal data of ADP Associates. These BCRs serve as the basis for our Global Privacy Program. We have implemented a Global Privacy Policy that is applicable to all ADP Associates worldwide, enabling us to comply with the commitments we’ve made in our BCRs.

We invite you to explore this webpage and learn more about Privacy at ADP, including understanding the steps that we’ve taken to protect personal data globally. Within this webpage, you may find our Privacy Statements, overview of our BCRs, and of our Privacy Program, as well as brochures and other privacy-related materials.

This webpage is complementary to our other Privacy at ADP webpage that you can find here.

ADP Privacy Statement for Business Contacts

This Privacy Statement explains how ADP, LLC. and the ADP Group Companies listed under section 17 of this Statement, (hereinafter “we”), use and disclose Personal Data that we collect from Individuals who visit our websites and otherwise engage with us in business activities. This Privacy Statement also incorporates ADP’s Binding Corporate Rules (BCR) Privacy Code for Business Data, which includes detailed information about how ADP processes data of our Business Contacts and the commitments we have made to protect that data. For more information on the BCR, please click on ADP Privacy Code for Business Data Overview towards the bottom of this webpage. If you have additional questions about privacy please contact us at Privacy@ADP.com.

For information on how ADP protects the Personal Data we process for Clients, please see the ADP Privacy Statement for Client Employees, found towards the bottom of this webpage.

ADP has a Global Data Privacy Policy that applies to all ADP Group Companies worldwide. An overview of the Global Data Privacy Policy, as it applies to Client Employee’s data that we process on behalf of our Clients, is located on this webpage. Every ADP Group Company must respect privacy and protect the Personal Data that is entrusted to it. This Privacy Statement explains how ADP collects, uses and discloses Personal Data in particular, from Business Contacts, as well as from its website visitors. If you are interested in the practices of a particular ADP Group Company, please check the “Privacy” link on that company’s website or contact us at Privacy@ADP.com.

1. Types of Personal Data

This Privacy Statement explains our practices with regard to Personal Data collected by ADP for its own Business Purposes. Personal Data is any information that can be used to identify, locate or contact you. Some examples of Personal Data include your name, username, mailing address, telephone numbers, email address, geographic location, creditworthiness, customer account information, or other information about how you use ADP websites and applications. Personal Data also includes other information that may be associated with your Personal Data.

2. How ADP collects Personal Data

In most cases, we collect Personal Data directly from you. We will ask you for Personal Data when you interact with us, such as registering on our websites, signing up to receive a newsletter, making a purchase, signing up to receive marketing communications, or to provide ADP with services, goods or products. We may collect additional information from Third Party data suppliers who enhance our files and help us better understand our contacts.

If you interact with us online, we use cookies and other technological tools to collect information about your computer and your use of our website and applications. We treat this information as Personal Data when it is associated with your contact information. For more information about cookies and other technologies, please see the section Cookies and Other Data Collection Technologies below.

3. How ADP uses Personal Data

ADP uses your Personal Data for the following Business Purposes::

  • Business Purposes for Processing Personal Data pertaining to Professionals. Personal Data pertaining to Professionals with whom ADP has a business relationship may be processed as needed:
    1. To initiate, assess, develop, maintain, or expand a business relationship, including negotiating, contracting, and fulfilling obligations under contracts;
    2. For due diligence regarding the Individual’s qualifications and eligibility for the relationship, including verifying the identity, qualification, authority, and creditworthiness of the Professional and obtaining publicly-available information from Third Parties (such as publicly-available sanction lists from screening companies); 
    3. To send transactional communications (such as requests for information, responses to requests for information, orders, confirmations, training, and service updates); 
    4. For account management, accounting, finance, and dispute resolution purposes (such as accounts receivable, accounts payable, account reconciliation, cash management, or money movement) and for consolidated management and reporting; 
    5. To assure quality control and to enforce company standards and policies; 
    6. For risk management and mitigation, including for audit and insurance functions, and as needed to license and protect intellectual property and other assets; 
    7. For security management, including monitoring Individuals with access to ADP’s websites, applications, systems, or facilities, investigation of threats, and as needed for any Data Security Breach notification; and
    8. To anonymize or de-identify the Personal Data.

  • Business Purposes for Processing Personal Data pertaining to Consumers and other Individuals.Personal Data pertaining to Consumers and other Individuals with whom ADP has a business relationship may be processed as needed:
    1. To provide the information, product, or service requested by the Individual, and as would be reasonably expected by the Individual given the context in which the Personal Data were collected, and the information provided in the applicable privacy statement given to the Individual (such as for personalization, remembering preferences, or respecting Individual rights);
    2. For due diligence, including verifying the identity of the Individual, as well as the eligibility of the Individual to receive information, products, or services (such as verifying age, employment, or account status);
    3. To send transactional communications (such as requests for information, responses to requests for information, orders, confirmations, training materials, and service updates); 
    4. To manage the Individual’s account, such as for customer service, finance, and dispute resolution purposes;
    5. For risk management and mitigation, including for audit and insurance functions, and as needed to license and protect intellectual property and other assets, 
    6. For security management, including monitoring Individuals with access to ADP’s websites, applications, systems, or facilities, investigation of threats, and as needed for any Data Security Breach notification; and 
    7. To anonymize or de-identify the Personal Data.

  • Business-necessary Processing activities. ADP may process Personal Data as needed (i) to protect the privacy and security of the Personal Data it maintains, such as in connection with advanced security initiatives and threat detection; (ii) for treasury operations and money movement activities; (ii) for compliance functions, including screening Individuals against sanction lists in connection with anti-money laundering programs; (iv) for business structuring activities, including mergers, acquisitions, and divestitures; and (v) business activities, management reporting, and analysis.
  • Development and improvement of products and/or services. ADP may process Personal Data to develop and improve ADP’s products and/or services, and for research, development, analytics, and business intelligence.
  • Relationship management and marketing. ADP may process Personal Data for relationship management and marketing. This purpose includes sending marketing and promotional communications to Individuals who have not objected to receiving such messages as may be appropriate given the nature of the relationship, such as product and service marketing, investor communications, Client communications (e.g., HR compliance alerts, product updates, and training opportunities and invitations to ADP events), customer satisfaction surveys, supplier communications (e.g., requests for proposals), corporate communications, and ADP news.

ADP uses your Personal Data for Secondary Purposes such as:

  • Disaster recovery and business continuity, including transferring the information to an Archive
  • Internal audits or investigations
  • Implementation or verification of business controls
  • Statistical, historical, or scientific research
  • Dispute resolution
  • Legal or business counseling
  • Compliance with laws and company policies
  • Insurance purposes

4. Why and How Personal Data is disclosed by ADP

ADP commits to not provide your Personal Data to Third Parties for their own marketing purposes. We limit our sharing of your Personal Data to:

  • ADP Group Companies, which will only use your Personal Data for the purposes listed above.
  • Our service providers, who are bound by law or contract to protect your Personal Data and only use your Personal Data in accordance with our instructions.
  • Our business partners, but only to the extent you have purchased product or service from such partner, interacted with such partner, or otherwise authorized the sharing. For example, if you are referred to ADP from a business partner website, we may provide that partner with your contact information and certain economic and financial information, such as bank account information, to validate the referral. We may also provide your contact information to companies that offer complementary products and services if you request information about these solutions.
  • Enforce our rights, protect our property, or protect the rights, property or safety of others, or as needed to support external auditing, compliance and corporate governance functions. We will also disclose Personal Data when required to do so by law, such as in response to a subpoena, including to law enforcement agencies and courts in the United States and other countries where we operate.

Please note that we may also use and disclose information about you that is not personally identifiable. For example, we may publish reports that contain aggregated, anonymized, and statistical data about our Clients. These reports do not contain information that would enable the recipient to contact, locate or identify you. These reports also do not contain identifiable company information.

5. Cookies and Other Data Collection Technologies

When you visit our website or use our mobile applications, we collect certain information by automated means, using technologies such as cookies, pixel tags, browser analysis tools, server logs, and web beacons. For example, when you visit our website, we place cookies on your computer. Cookies are small text files that websites send to your computer or other Internet-connected device to uniquely identify your browser or to store information or settings in your browser. Cookies allow us to recognize you when you return. They also help us provide a customized experience and enable us to detect certain kinds of fraud. In many cases, you can manage cookie preferences and opt-out of having cookies and other data collection technologies used by adjusting the settings on your browser. All browsers are different, so visit the “help” section of your browser to learn about cookie preferences and other privacy settings that may be available..

ADP also uses flash cookies (also known as local stored objects) and similar technologies to personalize and enhance your online experience. The Adobe Flash Player is an application that allows rapid development of dynamic content, such as video clips and animation. We use flash cookies for security purposes and to help remember settings and preferences similar to browser cookies, but these are managed through a different interface than the one provided by your web browser. To manage flash cookies, please see Adobe’s website at https://adobe.ly/2Kn1NL2 or visit www.adobe.comADP does not use flash cookies or similar technologies for behavioral or interest-based advertising purposes.

Pixel tags and web beacons are tiny graphic images placed on website pages or in our emails that allow us to determine whether you have performed a specific action. When you access these pages or open or click an email, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure response to our communications and improve our web pages and promotions.

We collect many different types of information from cookies and other technologies. For example, we collect information from the device you use to access our website, your operating system type, browser type, domain, and other system settings, as well as the language your system uses and the country and time zone where your device is located. Our server logs also record the Internet Protocol (IP) address assigned to the device you use to connect to the Internet. An IP address is a unique number that devices use to identify and communicate with each other on the Internet. We may also collect information about the website you were visiting before you came to ADP and the website you visit after you leave our site.

In many cases, the information we collect using cookies and other tools is only used in a non-identifiable way, without reference to Personal Data. For example, we use information we collect about website users to optimize our websites and to understand website traffic patterns. In some cases, we do associate the information we collect using cookies and other technology with your Personal Data. This Privacy Statement applies to the information when we associate it with your Personal Data.

ADP has relationships with Third Party advertising companies to place advertisements on this website and other websites, and to perform tracking and reporting functions for this website and other websites. These Third Party advertising companies may place cookies on your computer when you visit our website or other websites so they can display targeted advertisements to you. These Third Party advertising companies do not collect Personal Data in this process, and we do not give Personal Data to them as part of this process. This Privacy Statement does not cover the collection methods or use of the information collected by these vendors. For more information about Third Party advertising, please visit the Network Advertising Initiative (NAI) at www.networkadvertising.org. You may opt out of being targeted by many Third Party advertising companies by visiting http://bit.ly/2Ig9IgT or http://preferences.truste.com/truste/.

Although our websites currently do not have a mechanism to recognize the various web browser Do Not Track signals, we do offer Individuals choices to manage their preferences that are provided in the previous sections above. We do expect our Third Party advertising companies to use reasonable efforts to respect browser Do Not Track signals by not delivering targeted advertisements to website visitors whose browsers have a Do Not Track setting enabled. However, we understand that some companies do not have this capability today. To learn more about browser tracking signals and Do Not Track please visit http://www.allaboutdnt.org/.

ADP uses Google Analytics as a Third Party vendor. For information on how Google Analytics uses data, please visit “How Google uses data when you use our partners sites or apps”, located at http://bit.ly/2jXZ13Y.

6. Mobile Applications

ADP offers mobile applications that allow you to access your account, interact with us online, and receive other information via your mobile device. Personal Data collected by ADP via our mobile applications is protected by the terms of this Privacy Statement or our Privacy Statement for Client Employees, as applicable.

7. Communication Preferences

You may limit the information you provide to ADP. You may also limit the communications that ADP sends to you. To opt-out of commercial emails, simply click the link labeled “unsubscribe” at the bottom of any email we send you. Additionally, you may opt-in or opt-out of communications by navigating to the Global Preference Center at http://subscribe.adpinfo.com/.

Please note that if you are currently receiving services from ADP and you have decided to opt-out of promotional emails, this will not impact the messages we send to you for purposes of delivering such services.

If you have questions about your choices or if you need assistance with opting-out, please contact us via email to Privacy@ADP.com. You may also write us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and information about the communications that you do not want to receive.

8. Access, Correction, Erasure, and Other Individual Rights

ADP respects your right to access, correct, and delete your Personal Data, or object to the processing of your Personal Data. If you have an online account, you may log into your account to access update, or delete the information you have provided to us. Additionally, you may contact Privacy@ADP.com to request access to your data, and to exercise any of the individual rights afforded to you by ADP’s Privacy Code for Business Data, or by applicable data protection laws and regulations. You may also write to us at the address in the How to Contact Us section below. If you send us a letter, please provide your name, address, email address, and detailed information about the changes you would like to make. ADP will respond to requests as soon as possible and in accordance with applicable data protection laws and regulations.

9. Information Security

ADP is committed to maintaining the appropriate organizational, technical, and physical controls to protect Personal Data entrusted to ADP. These controls protect Personal Data from anticipated threats and hazards as well as unauthorized access and use. In each case, ADP will strive to provide security that is proportional to the sensitivity of the Personal Data being protected, with the greatest effort being focused on protecting Sensitive Personal Data and other Personal Data whose compromise could result in substantial harm or inconvenience to the Individual. Additional information about ADP’s Global Security Organization may be found at https://www.adp.com/trust.

Please note that you should also take steps to protect yourself, especially online. When you register at ADP websites, choose a strong password, and do not use the same password that you use on other sites. Do not share your password with anyone else. ADP will never ask you for your password in an unsolicited phone call or in an unsolicited email. Also remember to sign out of the website and close your browser window when you have finished your work. This is to ensure that others cannot access your Personal Data and correspondence if others have access to your computer.

10. Data Retention

ADP will only retain your information for as long as necessary for the Purposes for which the Personal Data is processed. ADP has implemented a Global Records Information Management (RIM) Policy and has established records retention schedules for all types of Personal Data that ADP processes. Personal Data is retained in accordance with the records retention schedules to ensure that records containing Personal Data are retained as needed to fulfill the applicable Business Purposes, to comply with applicable laws, or as advisable in light of applicable statutes of limitations. When the retention period has expired, records containing Personal Data will be securely deleted or destroyed, de-identified, or transferred to archive, in accordance with ADP’s RIM Policy.

11. International Data Transfers

ADP is headquartered in the United States of America. Your Personal Data may be accessed by or transferred to our Group Companies and Suppliers in the United States or elsewhere in the world in accordance with the ADP Privacy Code for Business Data, found towards the bottom of this webpage.

12. Privacy Statements of Third Parties

This Privacy Statement only addresses the use and disclosure of information by ADP. Our Suppliers, Business Partners, and other Third Party websites that may be accessible through our ADP.com website have their own privacy statements and data collection, use and disclosure practices. We encourage you to familiarize yourself with the privacy statements provided by Third Parties prior to providing them with information or taking advantage of an offer or promotion.

13. Forums, Product Reviews and Other Public Areas

Our websites may provide forums and other public areas where you may communicate with others and publicly post information. Prior to posting in these areas, please read our Terms of Use carefully. The information you post will be accessible to anyone with Internet access, and Personal Data you include in your posting may be read, collected, and used by others. For example, if you post your email address on a forum or in a public area, you may receive unsolicited messages from Third Parties. Please use caution when posting Personal Data.

14. Job Applicants

If you have applied for employment with ADP, the Personal Data submitted with your job application will be added to our recruitment system and used for recruitment and other customary human resources purposes in accordance with our ADP Applicant Privacy Statement.

15. Individuals Located in the European Economic Area

In addition to the rights already listed in this Privacy Statement under Section 8, you also have the right to data portability, as well as the right to be notified of automated decision making or profiling related to your Personal Data. A Data Protection Officer for the European Economic Area has been appointed and can be reached at DataProtectionOfficer.ADPEMEA@adp.com You may reach the Data Protection Officer via mail at the address below.

Data Protection Officer - EMEA
ADP Europe SAS
31 Avenue Jules Quentin
92000 Nanterre
France

16. Changes to this Privacy Statement

From time to time, we may update this Privacy Statement to reflect new or different privacy practices. We will place a notice online when we make material changes to this Privacy Statement.

17. Group Companies bound by this Privacy Statement

For a listing of Group Companies bound by this Privacy Statement and the Privacy Code for Business Data, please click www.adp.com/privacy/pdf/A2CoBDC.pdf.

18. How to Contact Us

Please contact us if you have questions, or comments, at Privacy@ADP.com. You may reach us via mail at address below. If you send us a letter, please provide your name, address, email address, and detailed information about your question, comment, or complaints.

ADP
Global Data Privacy and Governance Team
MS 325
One ADP Boulevard
Roseland, NJ 07068-1728 USA

19. How to Lodge a Complaint

If you believe that ADP has not handled your Personal Data properly or that it has breached its privacy obligations, under any applicable data protection laws or the ADP Privacy Code for Business Data or of Applicable Law, you may file your complaint in writing to the address above, or via email, to the Global Data Privacy and Governance Team at Privacy@ADP.com. The Global Data Privacy and Governance Team will investigate each complaint and notify the Individual within a reasonable timeframe of the outcome of the investigation. If you are not satisfied by the resolution ADP proposes, you may lodge a complaint in accordance with the provisions of the ADP Privacy Code for Business Data.

ADP Privacy Statement for Client Employees

Effective Date: May 8, 2018

ADP has an internal Global Data Privacy Policy that applies to all affiliates and associates worldwide. The Global Data Privacy Policy helps us ensure that personal data is handled properly. The Global Data Privacy Policy governs personal data collected by ADP for its own purposes as well as information provided to us as a processor for our Clients. It protects information collected online as well as offline. ADP is committed to protecting the privacy and security of personal data that we process in order to provide services to our Clients. We receive personal data from our Clients about their current, prospective and former employees as well as employee dependents and family members, as needed to provide benefits. This Privacy Statement explains our practices with regard to the personal data we receive from our Clients as a processor.

ADP will collect and process your personal data only as instructed or permitted by our Client (your employer) or you. ADP maintains appropriate security controls to protect your information.

For our Client employees located in the European Economic Area and in Switzerland, ADP has established Binding Corporate Rules (BCR) Privacy Code for Client Data Processing Services which have been approved by the European Union Data Protection Authorities.

ADP will disclose your personal data to your employer and to other entities when instructed by your employer. We may disclose your personal data to our affiliates and third party processors as needed to provide the services that you and your employer have requested. These entities are contractually bound to limit the use of your personal data as needed to perform the services. We will also disclose personal data when required to do so by law, such as in response to a subpoena, including to law enforcement agencies and courts in the United States and other countries where we operate.

If you have questions about your privacy rights, please contact your employer’s human resources department.

International Data Transfers

Where authorized by your employer, ADP will transfer personal data pertaining to individuals located outside of the United States to our affiliates and suppliers in the United States and elsewhere in the world, pursuant to applicable data protection laws. We will only transfer personal data pertaining to individuals located in the European Economic Area as permitted by the ADP Privacy Code for Client Data Processing Services. For an overview of the ADP Privacy Code for Client Data Processing Services, which includes the list of our affiliates bound by the ADP Privacy Code for Client Data Processing Services, please click www.adp.com/privacy/pdf/bcrpc_en.pdf.

Sensitive Personal Data

In the ordinary course of its business, ADP processes sensitive personal data on behalf of your employer, such as social security numbers. ADP has implemented reasonable technical, physical and administrative safeguards to help protect the sensitive personal data from unlawful use and unauthorized disclosure. All ADP associates and contingent workers are required to follow these established procedures, both online and offline. Access to sensitive personal data is limited to those associates and contingent workers who have a need to access the information to perform tasks for ADP. ADP will only disclose sensitive personal data to those service providers, auditors, and/or advisors who are legally or contractually obligated to protect them or as required or permitted by law.

Anti-Money Laundering

If your employer has elected to receive services such as money movement services from ADP, ADP may be required by applicable laws to process Client employee data for monitoring and other controls needed to safeguard the security and integrity of financial transactions including for due diligence, such as verifying the identifying of the individual, and the individual’s eligibility to receive products or services, such as verifying employment or account status.

California Privacy Rights

California Civil Code Section 1798 allows California residents to ask companies with whom they have an established business relationship to provide certain information about the companies’ sharing of personal data with third parties for direct marketing purposes. ADP does not share any California consumer personal data with third parties for marketing purposes without consent.

If you wish to request further information about our compliance with this law you may contact us at Privacy@ADP.com or by writing to:

ADP
Global Data Privacy and Governance Team
MS 325
One ADP Boulevard
Roseland, NJ 07068-1728 USA

How to Lodge a Complaint (European Economic Area (EEA) and Switzerland Client Employees only)

Client employees located in the EEA and Switzerland, as a third party beneficiary, may file a complaint in respect of a claim they have for violation of the ADP Privacy Code for Client Data Processing Services or applicable law, by contacting the Global Data Privacy and Governance Team at Privacy@ADP.com. If ADP’s response to your complaint is unsatisfactory, you may file a complaint or claim with the relevant regulatory authorities or the courts, in accordance with the provisions of the ADP Privacy Code for Client Data Processing Services.

ADP Privacy Code for Client Data Processing Services

Introduction

ADP has adopted Binding Corporate Rules (BCR) as a Data Processor. BCR are a legally binding set of internal rules, recognized by the European Union (EU) Data Protection Authorities (DPAs), to ensure a consistent approach to privacy and data protection across Group Companies with the same parent, including those located outside of the EU.

The ADP Privacy Code for Client Data Processing Services indicates the commitments ADP has implemented for the processing of personal data pertaining to client employees by ADP, in connection with providing client services and client support activities.

Scope and Applicability

The ADP Privacy Code for Client Data Processing Services addresses the processing of personal data of client employees by ADP in its role as a data processor for clients in the course of delivering client services, where such personal data are:

a. Subject to EEA Applicable Law (or were subject to EEA Applicable Law prior to the transfer of such personal data to a Group Company outside the EEA in a country which has not been deemed to provide an adequate level of data protection by competent EEA institutions);
b. Collected originally in the context of the activities of an EEA establishment of a Client;
c. Subject to EEA Data Transfer Restrictions;
d. Processed by ADP outside the EEA in a country which has not been deemed to provide an adequate level of data protection by competent EEA institutions; and
e. Processed pursuant to a Service Agreement that specifically provides that the ADP Privacy Code for Client Data Processing Services shall apply to such personal data.

Implementation

The effective date of the ADP Privacy Code for Client Data Processing Services is April 11, 2018. ADP will implement the ADP Privacy Code for Client Data Processing Services across the relevant ADP Group Companies within 18 months of the effective date.

Glossary for BCR

To access the glossary of terms used throughout ADP BCR related materials, please click www.adp.com/privacy/pdf/glossary_en.pdf.

ADP Privacy Code for Client Data Processing Services Principles

The ADP Privacy Code for Client Data Processing Services is based on a set of data protection principles outlined below.

Data Processing Purposes

ADP shall Process Client Data on behalf of the Client, only in accordance with the Service Agreement, pursuant to any documented instructions received from the Client, or as needed to comply with Applicable Law.

ADP processes personal data (including Special Categories of Data) pertaining to client employees as needed to provide client services, client support activities, as required by EEA applicable law and for the following additional purposes:

a. Hosting, storage, and other processing needed for business continuity and disaster recovery;
b. System and network administration and security, including infrastructure monitoring, identity and credential management, verification and authentication, and access control;
c. Monitoring and other controls needed to safeguard the security and integrity of transactions;
d. Enforcing contracts and protecting ADP, its associates, clients, client employees, and the public against theft, legal liability, fraud, or abuse; and
e. Approved ADP internal business processes.

Upon termination of the Service Agreement, ADP shall fulfill its obligations to the client with regard to the returning the data and securely destroying the data, subject to EEA applicable law.

Security Requirements

ADP has implemented commercially reasonable and appropriate technical, physical, and organizational measures to protect Client Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access during the Processing, which will meet the requirements of EEA Applicable Law, or any stricter requirements, as imposed under the Service Agreement.

Access to Client Data will be authorized only to the extent necessary to serve the applicable Data Processing Purposes and requirements of the Service Agreements. ADP staff with access to client data will be subject to confidentiality obligations.

ADP shall notify the client of a data security breach without undue delay after becoming aware that such a breach has occurred, unless a law enforcement official or supervisory authority determines that notification would impede a criminal investigation, or cause damage to national security or a breach of trust in the relevant industry sector.

Transparency to Client Employees

ADP shall promptly notify the Client of requests or complaints related to the Processing of personal data by ADP that are received directly from client employees without responding to such requests or complaints, unless otherwise provided in the Service Agreement or instructed by the client.

Subprocessors

Third Party Subprocessors may only Process Client Data pursuant to a Subprocessor Contract. The Subprocessor Contract shall impose similar data protection-related Processing terms on the Third Party Subprocessor that will be not less protective than those imposed on the ADP Contracting Entity by the Service Agreement and the ADP Privacy Code for Client Data Processing Services.

ADP shall publish an overview of the categories of Subprocessors involved in the performance of the relevant Client Services and ADP shall provide notice to the Client of any new Subprocessors engaged by ADP for the delivery of the Client Services. Clients have 30 days from notification date to object to the use of new Subprocessors engaged by ADP.

Governance

ADP’s privacy program is managed by ADP’s Global Chief Privacy Officer and the members of the Data Privacy and Governance Team. ADP has implemented a Privacy Network comprised of the members of the Data Privacy and Governance Team and other members of the Legal department, including compliance professionals, and Data Protection Officers, who are in charge of privacy compliance within their respective regions, countries, Business Units or Functional areas.

Additionally, Privacy Stewards are Executives who have been appointed by ADP senior leaders to implement and enforce compliance with ADP’s privacy program within their respective Business Units or Functional areas. Privacy Stewards and selected members of the Privacy Network serve on ADP’s Privacy Leadership Council, led by ADP’s Global Chief Privacy Officer, to oversee privacy compliance at ADP.

Compliance

ADP shall respond promptly and appropriately to requests for assistance from the Client to enable the Client to comply with its obligations, subject to Applicable Law and in accordance with the Service Agreement.

Monitoring and Audit

ADP will address Client audit requests and will answer questions asked by the Client regarding the Processing of Client Data by ADP. If further information is requested, in agreement with Client, ADP will either a) allow an independent third party assessor to conduct an audit, no more than annually per client, subject to a 45 day written notice and bound by confidentiality terms, or b) provide the Client with a statement from a third party assessor, indicating ADP’s compliance with the ADP Privacy Code for Client Data Processing Services. Additionally, ADP will allow its Processing facilities to be audited by any DPA of an EEA Country which is competent to audit an ADP Client.

The Global Chief Privacy Officer shall produce an annual report for the ADP Executive Committee on compliance with the ADP Privacy Code for Client Data Processing Services, privacy, data protection risks, and other relevant issues.

Complaints Procedure

Client Employees covered by the ADP Privacy Code for Client Data Processing Services may file a written complaint if they suspect that a member(s) of the ADP Group Companies has violated the commitments made in the ADP Privacy Code for Client Data Processing Services, as further defined in the ADP Privacy Code for Client Data Processing Services.

Complaints must be submitted in writing to the ADP Global Data Privacy and Governance Team. Complaints may be submitted via email to Privacy@ADP.com or via mail to:

ADP Delegated Entity
ADP Nederland B.V.
Lylantse Baan 1, 2908 
LG CAPELLE AAN DEN IJSSEL
THE NETHERLANDS

Client Employees may also file a complaint or claim with the relevant DPAs or the Courts.

ADP Privacy Code for Client Data Processing Services

For the full text of the ADP Privacy Code for Client Data Processing Services, please click www.adp.com/privacy/pdf/bcrpc_en.pdf. For a list of the Group Companies bound by ADP’s Privacy Code for Client Data Processing Services, please click www.adp.com/privacy/pdf/A3CoPC3.pdf.

Contact Us

For more information about ADP’s Privacy Program, including the ADP Privacy Code for Client Data Processing Services, please contact the Global Data Privacy and Governance team at Privacy@ADP.com.

ADP Privacy Code for Business Data

Introduction

ADP has adopted Binding Corporate Rules (BCR) as a Data Controller. BCR are a legally binding set of internal rules, recognized by the European Union (EU) Data Protection Authorities (DPAs), to ensure a consistent approach to privacy and data protection across Group Companies with the same parent, including those located outside of the EU.

Scope and Applicability

The ADP Privacy Code for Business Data indicates the commitments ADP has implemented for Processing Personal Data pertaining to those Individuals with whom ADP has a business relationship (e.g., Individuals who represent ADP’s Clients, Suppliers and Business Partners, other Professionals, and Consumers) and other Individuals whose Personal Data are processed by ADP in the context of its business activities as a Data Controller.

Implementation

The effective date of the ADP Privacy Code for Business Data is April 11, 2018. ADP will implement the ADP Privacy Code for Business Data across the relevant ADP Group Companies within 18 months of the effective date.

Glossary for BCR

To access the glossary of terms used throughout ADP BCR related materials, please click www.adp.com/privacy/pdf/glossary_en.pdf.

ADP Privacy Code for Business Data Principles

The ADP Privacy Code for Business Data is based on a set of data protection principles outlined below.

Business Purposes for Processing Personal Data

Personal Data may be processed by ADP in the context of its business operations for one or more of the following Business Purposes:

A. Business Purposes for Processing Personal Data pertaining to Professionals:

  1. Business relationship management;
  2. Business relationship due diligence;
  3. Transactional communications;
  4. Account management;
  5. Quality control;
  6. Risk management;
  7. Security management; and
  8. Anonymize or de-identify Personal Data.

B. Business Purposes for Processing Personal Data pertaining to Consumers and other Individuals:

  1. Provide requested information, products or services;
  2. Due diligence;
  3. Transactional communications;
  4. Account management;
  5. Risk management;
  6. Security management; and
  7. Anonymize or de-identify Personal Data.

C. Business-necessary Processing activities:

  1. Protect privacy and security;
  2. Treasury operations and money movement activities;
  3. Compliance;
  4. Business structuring activities; and
  5. Reporting and analysis.

D. Development and improvement of products and/or services; and

E. Relationship management and marketing.

Use for Other Purposes

Personal Data may be processed for a secondary purpose, similar to the legitimate Business Purpose, provided appropriate additional measures are taken. It is generally permissible to Process Personal Data for the following purposes (even if not listed as a Business Purpose), provided appropriate additional measures are taken:

  1. Disaster recovery and business continuity, including transferring the Information to an Archive;
  2. Internal audits or investigations;
  3. Implementation or verification of business controls;
  4. Statistical, historical, or scientific research;
  5. Dispute resolution;
  6. Legal or business counseling;
  7. Compliance with laws and company policies; or
  8. Insurance purposes.

Purposes for Processing Special Categories of Data

The following Special Categories of Data may be processed by ADP for the purposes specified below:

  1. Special Categories of Data revealed by Photographic Images. Photographic images and video recordings may be processed for security, compliance and other legitimate Business Purposes, such as participating in video conferences.
  2. Racial or ethnic data. ADP may Process racial and ethnic data as needed to facilitate Supplier and other diversity programs.
  3. Criminal data (including data relating to criminal behavior, criminal records, or proceedings regarding criminal or unlawful behavior). ADP may Process criminal data as needed to conduct appropriate due diligence on Individuals and in connection with security and compliance activities as needed to protect the interests of ADP.
  4. Physical or mental health data. ADP may Process physical or mental health data as needed to accommodate a person’s disability or dietary needs, address emergency health needs, or in similar circumstances.
  5. Biometric data (such as fingerprints). ADP may Process biometric data for the protection of ADP and Staff assets, system and site access, security and fraud prevention reasons.
  6. Religion or beliefs. ADP may Process data pertaining to religion or beliefs as needed to meet an Individual’s specific needs, such as accommodating dietary requests (for kosher or halal meals) or respecting religious holidays.

Special categories of data may be processed for any other legitimate purpose, if ADP obtains the prior explicit consent of the Individual.

Quantity and Quality of Data

ADP shall establish and implement retention schedules so that records containing Personal Data are only retained as needed to fulfill the applicable Business Purposes, to comply with applicable legal requirements, or as advisable in light of applicable statutes of limitations.

Personal Data should be accurate, complete, and kept up-to-date to the extent reasonably necessary for the applicable Business Purposes. It is the responsibility of Individuals to ensure that their Personal Data are accurate, complete, and up-to-date.

Individual Rights of Access, Rectification and Objection

Individuals have the right to request a copy of the Personal Data maintained by or on behalf of ADP. If the personal data are incorrect, incomplete, or not processed in compliance with applicable law or the ADP Privacy Code for Business Data, the Individual has the right to have the personal data rectified, restricted or erased (as appropriate).

Additionally, Individuals have the right to object to a) the Processing of their Personal Data on the basis of compelling grounds related to their particular situation, or b) receiving direct marketing communications (opting-out).

Information around the process for submitting an Individual Rights Request can be found in Article 7 of the ADP Privacy Code for Business Data.

Security and Confidentiality Requirements

ADP has implemented commercially reasonable and appropriate technical, physical, and organizational measures to protect Personal Data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access.

Access to Personal Data will be authorized only to the extent necessary to serve the applicable Business Purposes and ADP Staff with access to Personal Data will be subject to confidentiality obligations.

ADP shall investigate all known or suspected Data Security Breaches and shall document the facts relating thereto, its effects and the remedial actions taken. ADP shall notify Individuals of a Data Security Breach within a reasonable period of time following determination of such Data Security Breach if (a) the Individual is at a high risk of harm as a result of the Data Security Breach or, (b) (even if the Individual is not at a high risk of harm), if an applicable breach notification law requires Individual notification.

Direct Marketing

ADP respects the choices of Individuals and provides Individuals the choice to opt-in and opt-out of direct marketing. ADP will send direct marketing materials if the Individual has provided opt-in consent or if Applicable Law permits ADP to send marketing communications without explicit consent based on an existing business relationship.

Transfer of Personal Data to Third Parties and Internal Processors

ADP may transfer Personal Data to a Third Party and to Internal Processors to the extent necessary to serve the applicable Business Purposes. ADP will only transfer Personal Data to a Third Party or to an Internal Processor if a written contract has been entered into with the ADP Group Company ensuring that the same level of data protection will be applied as described in the ADP Privacy Code for Business Data.

Governance

ADP’s privacy program is managed by ADP’s Global Chief Privacy Officer and the members of the Data Privacy and Governance Team. ADP has implemented a Privacy Network comprised of the members of the Data Privacy and Governance Team and other members of the Legal department, including compliance professionals, and Data Protection Officers, who are in charge of privacy compliance within their respective regions, countries, Business Units or Functional areas.

Additionally, Privacy Stewards are Executives who have been appointed by ADP senior leaders to implement and enforce compliance with ADP’s privacy program within their respective Business Units or Functional areas. Privacy Stewards and selected members of the Privacy Network serve on ADP’s Privacy Leadership Council, led by ADP’s Global Chief Privacy Officer, to oversee privacy compliance at ADP.

Monitoring and Audit

ADP shall audit business processes and procedures that involve the Processing of Personal Data for compliance with the ADP Privacy Code for Business Data on a regular basis. Additionally, ADP will allow its Processing facilities to be audited by the Lead DPA and DPAs of an EEA Country, as defined in the ADP Privacy Code for Business Data.

The Global Chief Privacy Officer shall produce an annual report for the ADP Executive Committee on compliance with the ADP Privacy Code for Business Data, privacy, data protection risks, and other relevant issues.

Complaints Procedure

Individuals covered by the ADP Privacy Code for Business Data may file a written complaint if they suspect that a member(s) of the ADP Group Companies has violated the commitments made in the ADP Privacy Code for Business Data, as further defined in the ADP Privacy Code for Business Data.

Complaints must be submitted in writing to the ADP Global Data Privacy and Governance Team. Complaints may be submitted via email to Privacy@ADP.com or via mail to:

ADP Delegated Entity
ADP Nederland B.V.
Lylantse Baan 1, 2908 
LG CAPELLE AAN DEN IJSSEL
THE NETHERLANDS

Individuals may also file a complaint or claim with the relevant DPAs or the Courts.

ADP Privacy Code for Business Data

For the full text of the ADP Privacy Code for Business Data, please click www.adp.com/privacy/pdf/bcrbc_en.pdf
For a list of Group Companies bound by the ADP Privacy Code for Business Data, please click www.adp.com/privacy/pdf/A2CoBDC.pdf.

Contact Us

For more information about ADP’s Privacy Program, including the ADP Privacy Code for Business Data, please contact the Global Data Privacy and Governance team at Privacy@ADP.com.