In practice, this means you are allowed to do only what results from your role and scope of responsibilities. The fact that you have access to a system or documents does not mean you can use the data in any way you like.
The authorization specifies what data you may process, what actions you are allowed to perform on that data, and for how long you have access. It should also clearly indicate who granted the authorization and to whom it was given.
From an employee’s perspective, the most important thing is to act within the scope of the authorization. If you are not authorized to access certain data or perform specific actions (e.g. sharing data), you should not do so.
Examples of violations include accessing data unrelated to your duties, checking information about acquaintances, using data for private purposes, reviewing recruitment documents without being involved in the hiring process, sharing data with other employees without a valid basis, or sending documents containing personal data to a private email account.
Particular care must be taken when dealing with special categories of data (e.g. health data). In such cases, written authorization is required.
If you are unsure whether you can perform a specific action on personal data, consult the Data Protection Officer and do not act on your own.