Software Outlook: Search to Export
Outlook: Search to Export
GDPR Guide

GDPR Requests: A Practical Guide for Companies

This page supports the GDPR request feature of Outlook: Search to Export. It explains what a GDPR data subject access request is, what your response must contain, what you may leave out, who may make a request and how often — and how the export created by the add-in fits into the process.

Disclaimer: This page is general information, not legal advice. GDPR enforcement details vary between EU/EEA member states and situations. When in doubt, consult your data protection officer or legal counsel.


What is a GDPR access request?

Under Article 15 of the EU General Data Protection Regulation (GDPR, Regulation 2016/679), any person (the data subject) has the right to ask an organisation:

  1. whether the organisation processes personal data about them, and if so,
  2. to receive a copy of that personal data, together with
  3. supplementary information about the processing.

This is commonly called a DSAR (data subject access request) or tietopyyntö in Finnish. E-mail is one of the most common places where personal data about a person accumulates: messages they sent to you, messages you sent to them, and messages that mention them.

A request is valid in any form — e-mail, letter, phone call, even verbally. It does not need to mention the GDPR or use any particular words. The clock starts when the request reaches you.

Deadlines

Who may make a request?

Important: the right of access covers the requester's own personal data only — never other people's (Article 15(4)).

How often, and what does it cost?

What the response must contain

Your response has two parts:

1. A copy of the personal data

For e-mail this typically means the messages (or relevant extracts) where the requester appears — as sender, as recipient, or discussed in the content. In practice, supervisory authorities and the EDPB Guidelines 01/2022 on the right of access expect you to make a reasonable, documented search of the systems where personal data of the requester can be found, including mailboxes used for business processes.

An access response does not always require handing over full copies of every e-mail. What matters is that the data subject receives the personal data concerning them in an intelligible form. A structured summary — for example a table of date, time, correspondent, subject and the opening lines of each message — is often an appropriate and proportionate format, supplemented with full copies where the content itself is the personal data.

2. Supplementary information (Article 15(1)(a)–(h) and 15(2))

Much of this can be a standard cover letter that accompanies the data export.

What you may (and must) leave out

The right of access is broad, but not unlimited:

Never delete data after receiving a request to avoid disclosing it — destroying requested evidence can constitute a GDPR infringement and, in some situations, a criminal offence.

A practical workflow

  1. Log the request and its date. Verify the requester's identity if in doubt.
  2. Scope the search: which mailboxes, systems and archives can contain the person's data? Document what you searched.
  3. Search and export. In Outlook, the GDPR request mode of Outlook: Search to Export finds all messages in the chosen date range where the person appears as sender or recipient, in both received and sent mail, and produces a structured Excel file with date, time, direction, contact, subject and (optionally) the first lines of each message. The summary sheet records the search term, the date range, the scope of the search and the generation time — useful for documenting how you searched.
  4. Review before disclosure. Go through the export: redact third-party personal data, trade secrets and privileged content. Decide which full messages need to be attached.
  5. Add the supplementary information (purposes, recipients, retention, rights — see above) in a cover letter.
  6. Deliver securely — encrypted or via a secure channel, to a verified address. If the request was made electronically, provide the response in a commonly used electronic form.
  7. Keep a record of what was disclosed, when, and what was redacted and why.

What the add-in does — and what it does not do

The GDPR request checkbox automates step 3: it searches both received and sent mail for the named person and never skips messages (the Skip marketing email option is disabled, because an access response must not silently omit data). The export's summary sheet states the scope of the search.

The add-in searches the default Inbox and Sent Items folders of the current mailbox. If your organisation uses subfolders, archive mailboxes, shared mailboxes or other systems (CRM, ticketing, chat), search those separately. The tool does not redact third-party data and does not generate the supplementary information — those steps remain your responsibility.

All processing happens locally on your computer. The add-in sends nothing to us or anyone else.

Sanctions for getting it wrong

Ignoring or mishandling access requests is one of the most common causes of GDPR complaints. Infringements of the data subjects' rights (Articles 12–22) fall in the higher fine bracket: up to 20 million euros or 4 % of worldwide annual turnover, whichever is higher (Article 83(5)) — in addition to reputational damage and orders from the supervisory authority.

Sources and further reading