{"component": "clause", "props": {"groups": [{"snippet_links": [{"key": "access-to", "type": "definition", "offset": [20, 29]}, {"key": "authorized-users-only", "type": "clause", "offset": [30, 51]}, {"key": "individual-user", "type": "definition", "offset": [204, 219]}, {"key": "class-of", "type": "definition", "offset": [233, 241]}, {"key": "operating-systems", "type": "clause", "offset": [360, 377]}, {"key": "application-software", "type": "clause", "offset": [386, 406]}, {"key": "ability-to", "type": "definition", "offset": [421, 431]}, {"key": "an-appropriate", "type": "clause", "offset": [464, 478]}, {"key": "changes-in", "type": "clause", "offset": [523, 533]}, {"key": "support-requirements", "type": "clause", "offset": [569, 589]}], "samples": [{"hash": "5tP6iU0w1UJ", "uri": "/contracts/5tP6iU0w1UJ#authorization-control", "label": "Master Agreement", "score": 27.2272416153, "published": true}, {"hash": "hicBnK0uFxX", "uri": "/contracts/hicBnK0uFxX#authorization-control", "label": "Master Agreement", "score": 26.7015742642, "published": true}, {"hash": "gGepxvolF7C", "uri": "/contracts/gGepxvolF7C#authorization-control", "label": "Master Agreement", "score": 26.1622176591, "published": true}], "size": 4, "snippet": "Security must allow access to authorized users only \u2013 to only those resources, files, applications, and services that they are authorized to use. Security will be definable by an administrator both on an individual user basis and by class of user (teachers, students, parents, administrators, etc.). Identification of a user must be unique to each individual. Operating systems and the application software must have the ability to be restricted or locked down in an appropriate way that prevents inadvertent or deliberate changes in key settings and, thereby, reduces support requirements.", "hash": "e3c3112093c271119ab14d70832e833d", "id": 1}, {"snippet_links": [{"key": "access-to-personal-data", "type": "clause", "offset": [11, 34]}, {"key": "a-technical", "type": "clause", "offset": [58, 69]}, {"key": "employees-shall", "type": "clause", "offset": [104, 119]}, {"key": "level-of-access", "type": "clause", "offset": [151, 166]}, {"key": "processing-personal-data", "type": "definition", "offset": [172, 196]}, {"key": "employees-who", "type": "clause", "offset": [203, 216]}], "samples": [{"hash": "jpvImaNobIi", "uri": "/contracts/jpvImaNobIi#authorization-control", "label": "Data Processing Agreement", "score": 32.1229401792, "published": true}, {"hash": "5V89QMHzJUh", "uri": "/contracts/5V89QMHzJUh#authorization-control", "label": "Data Processing Agreement", "score": 31.9641728596, "published": true}, {"hash": "1BxVffUsQt3", "uri": "/contracts/1BxVffUsQt3#authorization-control", "label": "Data Processing Agreement", "score": 31.9450112865, "published": true}], "size": 4, "snippet": "Employees\u2019 access to Personal Data shall be controlled by a technical system for authorization control. Employees shall be granted the lowest possible level of access when processing Personal Data. Only employees who require access to Personal Data for their work shall be granted access.", "hash": "274759129b1663417c400ad121d21f9f", "id": 2}, {"snippet_links": [{"key": "grant-access", "type": "clause", "offset": [11, 23]}, {"key": "examples-include", "type": "definition", "offset": [108, 124]}, {"key": "access-authorization", "type": "clause", "offset": [227, 247]}, {"key": "basis-of", "type": "clause", "offset": [270, 278]}, {"key": "approved-by", "type": "definition", "offset": [299, 310]}, {"key": "relevant-supervisor", "type": "definition", "offset": [315, 334]}, {"key": "approval-process", "type": "clause", "offset": [393, 409]}, {"key": "access-security", "type": "clause", "offset": [425, 440]}, {"key": "security-systems", "type": "clause", "offset": [468, 484]}, {"key": "active-directory", "type": "clause", "offset": [499, 515]}, {"key": "user-accounts", "type": "clause", "offset": [531, 544]}, {"key": "in-the-event", "type": "clause", "offset": [597, 609]}, {"key": "responsibility-for", "type": "clause", "offset": [642, 660]}, {"key": "current-policies", "type": "clause", "offset": [744, 760]}], "samples": [{"hash": "gj0oJ0uWwBI", "uri": "/contracts/gj0oJ0uWwBI#authorization-control", "label": "Saas Agreement", "score": 30.6108975739, "published": true}, {"hash": "10HlSU77L0v", "uri": "/contracts/10HlSU77L0v#authorization-control", "label": "Software as a Service Agreement", "score": 25.34770705, "published": true}, {"hash": "dDCTtHwgIjL", "uri": "/contracts/dDCTtHwgIjL#authorization-control", "label": "Software as a Service Agreement", "score": 20.7207392197, "published": true}], "size": 3, "snippet": "Entco will grant access authorizations on a \"need-to-know\" and \"need-to-do\" basis (lowest possible rights). Examples include access authorizations for task-related authorization schemes, user profiles, and functional roles. An access authorization will be sought on the basis of the role scheme and approved by the relevant supervisor. Additional control instances will be integrated into the approval process. For technical access security, Entco will use recognized security systems such as RACF, Active Directory, etc. Existing user accounts will be checked periodically and deleted or changed in the event that a user's tasks change. The responsibility for user accounts must be clearly assigned; representations are defined allowed in the current policies.", "hash": "f43d4106748d48eb3dc4ade485b0ce01", "id": 3}, {"snippet_links": [{"key": "data-processing-system", "type": "definition", "offset": [52, 74]}, {"key": "subject-to", "type": "definition", "offset": [100, 110]}, {"key": "access-authorization", "type": "clause", "offset": [117, 137]}, {"key": "personal-data", "type": "clause", "offset": [147, 160]}, {"key": "without-authorization", "type": "definition", "offset": [205, 226]}], "samples": [{"hash": "2RPqXazQY6U", "uri": "/contracts/2RPqXazQY6U#authorization-control", "label": "Data Processing Agreement", "score": 32.1065159737, "published": true}, {"hash": "3gedcePm6f8", "uri": "/contracts/3gedcePm6f8#authorization-control", "label": "Data Processing Agreement", "score": 31.6220019121, "published": true}], "size": 3, "snippet": "Measures that ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage.", "hash": "42e688f47d143960340db5a00b3edf95", "id": 4}, {"snippet_links": [{"key": "access-control", "type": "clause", "offset": [11, 25]}, {"key": "to-ensure", "type": "clause", "offset": [29, 38]}, {"key": "data-processing-system", "type": "definition", "offset": [75, 97]}, {"key": "subject-to", "type": "definition", "offset": [128, 138]}, {"key": "access-authorization", "type": "clause", "offset": [158, 178]}, {"key": "without-authorization", "type": "definition", "offset": [235, 256]}, {"key": "employees-who", "type": "clause", "offset": [377, 390]}, {"key": "declaration-of-commitment", "type": "clause", "offset": [452, 477]}, {"key": "user-ids", "type": "definition", "offset": [573, 581]}, {"key": "identification-and-authentication", "type": "clause", "offset": [585, 618]}, {"key": "access-to", "type": "definition", "offset": [686, 695]}, {"key": "production-operations", "type": "definition", "offset": [766, 787]}], "samples": [{"hash": "kOnZ2xK9pq4", "uri": "/contracts/kOnZ2xK9pq4#authorization-control", "label": "Saas Terms and Conditions", "score": 32.206013366, "published": true}, {"hash": "hGJCPzsQdHn", "uri": "/contracts/hGJCPzsQdHn#authorization-control", "label": "Saas Terms and Conditions", "score": 31.1768266976, "published": true}], "size": 2, "snippet": "The aim of access control is to ensure that only those authorized to use a data processing system can access exclusively the pD subject to their task-related access authorization and that pD cannot be read, copied, modified or removed without authorization during processing, use and after storage. The implementation of the following measures supports this requirement. \u2612 All employees who handle pD are separately bound to secrecy (e.g. by contract, declaration of commitment) or by law. \u2612 Implementing a sufficiently differentiated role and authorization model \u2612 Use of user IDs. \u2612 Identification and authentication of users. \u2612 Automatic verification of authorizations. \u2612 Logging of access to specific files. \u2612 Use of encryption methods. \u2612 Separation of test and production operations.", "hash": "ccbfe02e3ff608b02dea2148048e5ae9", "id": 5}, {"snippet_links": [{"key": "authorization-of-individuals", "type": "clause", "offset": [42, 70]}, {"key": "supervision-of-personnel", "type": "clause", "offset": [148, 172]}, {"key": "maintenance-activities", "type": "clause", "offset": [202, 224]}, {"key": "maintenance-personnel", "type": "definition", "offset": [304, 325]}, {"key": "system-security", "type": "definition", "offset": [330, 345]}], "samples": [{"hash": "eJKLCsqQahe", "uri": "/contracts/eJKLCsqQahe#authorization-control", "label": "Cloud Agreement", "score": 22.900752909, "published": true}, {"hash": "8yGYTogYHkC", "uri": "/contracts/8yGYTogYHkC#authorization-control", "label": "Master Software License, Maintenance & Professional Services Agreement", "score": 22.8514715948, "published": true}], "size": 2, "snippet": "Implement a mechanism for controlling the authorization of individuals, organizations, and roles to access applications, data, and software. Assure supervision of personnel performing technical systems maintenance activities by authorized, knowledgeable persons. Work to train Users, including technical maintenance personnel, in system security.", "hash": "105098ce363f478289c69438c6472fd3", "id": 6}, {"snippet_links": [{"key": "authorization-of-individuals", "type": "clause", "offset": [42, 70]}, {"key": "ordering-activity", "type": "definition", "offset": [156, 173]}, {"key": "identity-management", "type": "definition", "offset": [185, 204]}, {"key": "single-sign", "type": "clause", "offset": [241, 252]}, {"key": "supervision-of-personnel", "type": "clause", "offset": [300, 324]}, {"key": "maintenance-activities", "type": "clause", "offset": [354, 376]}, {"key": "system-users", "type": "clause", "offset": [427, 439]}, {"key": "maintenance-personnel", "type": "definition", "offset": [461, 482]}, {"key": "system-security", "type": "definition", "offset": [498, 513]}], "samples": [{"hash": "5oyPovlg91J", "uri": "/contracts/5oyPovlg91J#authorization-control", "label": "Master Software Services Agreement", "score": 23.5434633812, "published": true}], "size": 1, "snippet": "Implement a mechanism for controlling the authorization of individuals, organizations, and roles to access applications, data, and software. Integrate with Ordering Activity's existing identity management solution where one exists to enable single sign-on and centralized identity management. Assure supervision of personnel performing technical systems maintenance activities by authorized, knowledgeable persons. Ensure that system users, including technical maintenance personnel are trained in system security.", "hash": "e79667b92c34cf3e5ce87ec935b2b00a", "id": 7}, {"snippet_links": [{"key": "grant-access", "type": "clause", "offset": [40, 52]}, {"key": "examples-include", "type": "definition", "offset": [138, 154]}, {"key": "access-authorization", "type": "clause", "offset": [257, 277]}, {"key": "basis-of", "type": "clause", "offset": [300, 308]}, {"key": "approved-by", "type": "definition", "offset": [329, 340]}, {"key": "relevant-supervisor", "type": "definition", "offset": [345, 364]}, {"key": "approval-process", "type": "clause", "offset": [423, 439]}, {"key": "access-security", "type": "clause", "offset": [455, 470]}, {"key": "the-service-provider-will", "type": "clause", "offset": [472, 497]}, {"key": "security-systems", "type": "clause", "offset": [513, 529]}, {"key": "active-directory", "type": "clause", "offset": [544, 560]}, {"key": "user-accounts", "type": "clause", "offset": [576, 589]}, {"key": "in-the-event", "type": "clause", "offset": [642, 654]}, {"key": "responsibility-for", "type": "clause", "offset": [687, 705]}, {"key": "current-policies", "type": "clause", "offset": [789, 805]}], "samples": [{"hash": "iQClYsTNQlW", "uri": "/contracts/iQClYsTNQlW#authorization-control", "label": "Honeywell Homes Smart Metering Platform Service Agreement", "score": 27.8115862405, "published": true}], "size": 1, "snippet": "Honeywell Homes\u00b4s service provider will grant access authorizations on a \"need-to- know\" and \"need-to-do\" basis (lowest possible rights). Examples include access authorizations for task-related authorization schemes, user profiles, and functional roles. An access authorization will be sought on the basis of the role scheme and approved by the relevant supervisor. Additional control instances will be integrated into the approval process. For technical access security, the service provider will use recognized security systems such as RACF, Active Directory, etc. Existing user accounts will be checked periodically and deleted or changed in the event that a user's tasks change. The responsibility for user accounts must be clearly assigned; representations are defined allowed in the current policies.", "hash": "576710527108687d993404d80e6ac757", "id": 8}, {"snippet_links": [{"key": "to-ensure", "type": "clause", "offset": [9, 18]}, {"key": "data-processing-system", "type": "definition", "offset": [50, 72]}, {"key": "subject-to", "type": "definition", "offset": [98, 108]}, {"key": "access-authorization", "type": "clause", "offset": [115, 135]}, {"key": "without-authorization", "type": "definition", "offset": [204, 225]}, {"key": "application-access", "type": "clause", "offset": [279, 297]}, {"key": "data-use", "type": "definition", "offset": [348, 356]}, {"key": "number-of", "type": "clause", "offset": [391, 400]}, {"key": "management-of", "type": "clause", "offset": [416, 429]}, {"key": "user-rights", "type": "definition", "offset": [430, 441]}, {"key": "control-measures", "type": "clause", "offset": [475, 491]}, {"key": "data-collected", "type": "clause", "offset": [509, 523]}, {"key": "for-example", "type": "definition", "offset": [597, 608]}, {"key": "physical-separation", "type": "definition", "offset": [625, 644]}, {"key": "test-environments", "type": "clause", "offset": [687, 704]}, {"key": "database-rights", "type": "definition", "offset": [787, 802]}, {"key": "the-processing-of-personal-data", "type": "clause", "offset": [876, 907]}, {"key": "specific-data", "type": "clause", "offset": [969, 982]}, {"key": "additional-information", "type": "definition", "offset": [1010, 1032]}, {"key": "provided-that", "type": "clause", "offset": [1034, 1047]}, {"key": "appropriate-technical-and-organizational-measures", "type": "clause", "offset": [1113, 1162]}, {"key": "in-the-case", "type": "clause", "offset": [1164, 1175]}, {"key": "internal-instruction", "type": "definition", "offset": [1294, 1314]}, {"key": "in-the-event-of", "type": "definition", "offset": [1376, 1391]}, {"key": "expiry-of", "type": "clause", "offset": [1421, 1430]}], "samples": [{"hash": "iOByurtDsX9", "uri": "/contracts/iOByurtDsX9#authorization-control", "label": "Data Processing Agreement", "score": 33.6364200837, "published": true}], "size": 1, "snippet": "Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, modified, or removed without authorization during processing, use and after storage. Logging of application access, specifically when entering, editing and deleting data Use of authorization concepts Minimum number of administrators Management of user rights by administrators\n1.4 SEPARATION CONTROL Measures that ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and physical separation of the data. Separation of production and test environments Multi-tenancy of relevant applications Control via authorization concept Defining database rights\n1.5 PSEUDONYMIZATION (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR) The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures. In the case of pseudonymization: separation of assignment data and preservation in separate and separate secured system (possibly Internal instruction to anonymize / pseudonymize personal data as far as possible in the event of disclosure or even after the expiry of the statutory deletion period", "hash": "e3f42054a094b46fefa051ee1c24c7a3", "id": 9}, {"snippet_links": [], "samples": [{"hash": "iYAJaUM82Ey", "uri": "/contracts/iYAJaUM82Ey#authorization-control", "label": "Data Processing Agreement", "score": 32.2345189542, "published": true}], "size": 1, "snippet": "MGasurGs \u0165o GnsurG \u0165ha\u0165 \u0165hosG au\u0165horizGd \u0165o usG a da\u0165a procGssing sys\u0165Gm can only accGss \u0165hG da\u0165a subjGc\u0165 \u0165o \u0165hGir accGss au\u0165horiza\u0165ion and \u0165ha\u0165 pGrsonal da\u0165a canno\u0165 bG rGad, copiGd, modifiiGd or rGmovGd wi\u0165hou\u0165 au\u0165horiza\u0165ion during procGssing, usG and afi\u0165Gr s\u0165oragG.", "hash": "48724012eeef56b18d4eeaeb3c249c1b", "id": 10}], "next_curs": "Cl4SWGoVc35sYXdpbnNpZGVyY29udHJhY3RzcjoLEhZDbGF1c2VTbmlwcGV0R3JvdXBfdjU2Ih5hdXRob3JpemF0aW9uLWNvbnRyb2wjMDAwMDAwMGEMogECZW4YACAA", "clause": {"title": "Authorization Control", "size": 27, "parents": [["final-provisions", "Final provisions"], ["instructions", "Instructions"], ["approved-sub-processors", "Approved Sub-processors"], ["confidentiality", "Confidentiality"], ["disposal", "Disposal"]], "children": [], "id": "authorization-control", "related": [["authorization-etc", "Authorization, Etc", "Authorization, Etc"], ["authorization-contravention", "Authorization; Contravention", "Authorization; Contravention"], ["authorization-approvals", "Authorization; Approvals", "Authorization; Approvals"], ["authorization-approval-etc", "Authorization, Approval, etc", "Authorization, Approval, etc"], ["power-authorization", "Power; Authorization", "Power; Authorization"]], "related_snippets": [], "updated": "2025-07-07T12:37:54+00:00", "also_ask": [], "drafting_tip": null, "explanation": "The Authorization Control clause establishes the procedures and requirements for granting, managing, and revoking access rights or permissions within a system or organization. Typically, it outlines who has the authority to approve access, the process for requesting authorization, and the conditions under which access may be modified or withdrawn. For example, it may require that only designated managers can approve user access to sensitive data, and that such access must be reviewed periodically. The core function of this clause is to ensure that only authorized individuals can access certain resources, thereby protecting sensitive information and reducing the risk of unauthorized actions."}, "json": true, "cursor": ""}}