Each authorization role is divided into two sections.
Having personal privileges enabled means the user can only see their own data
The Employee role described works like this
Any user with Administration privileges will have access to other user's data
The Manager and Administration roles have this enabled
Any user with administration privileges will see data for all other users!
This can be prevented by dividing employees into organization units and assigning these organization units to different administrators and managers.