GDPR Requests: A Practical Guide for Companies
This page supports the GDPR request feature of Outlook: Search to Export. It explains what a GDPR data subject access request is, what your response must contain, what you may leave out, who may make a request and how often — and how the export created by the add-in fits into the process.
Disclaimer: This page is general information, not legal advice. GDPR enforcement details vary between EU/EEA member states and situations. When in doubt, consult your data protection officer or legal counsel.
What is a GDPR access request?
Under Article 15 of the EU General Data Protection Regulation (GDPR, Regulation 2016/679), any person (the data subject) has the right to ask an organisation:
- whether the organisation processes personal data about them, and if so,
- to receive a copy of that personal data, together with
- supplementary information about the processing.
This is commonly called a DSAR (data subject access request) or tietopyyntö in Finnish. E-mail is one of the most common places where personal data about a person accumulates: messages they sent to you, messages you sent to them, and messages that mention them.
A request is valid in any form — e-mail, letter, phone call, even verbally. It does not need to mention the GDPR or use any particular words. The clock starts when the request reaches you.
Deadlines
- You must respond without undue delay and at the latest within one month of receiving the request (Article 12(3)).
- The deadline may be extended by two further months if requests are complex or numerous — but you must tell the requester about the extension, with reasons, within the first month.
- If you refuse to act on a request, you must tell the requester within one month, state the reasons, and inform them of their right to complain to the supervisory authority (in Finland: Tietosuojavaltuutetun toimisto) and to seek a judicial remedy.
Who may make a request?
- The data subject themselves. You must be able to verify the requester's identity with reasonable certainty (Recital 64). Ask for additional identification only if you have reasonable doubts — do not collect more data than needed for verification.
- An authorised representative (for example a lawyer) with a mandate/power of attorney from the data subject.
- A guardian on behalf of a person they represent, and parents typically on behalf of young children.
- The right is personal: an employer, spouse or journalist cannot demand someone else's data without authorisation.
Important: the right of access covers the requester's own personal data only — never other people's (Article 15(4)).
How often, and what does it cost?
- The first copy is free of charge.
- For further copies, you may charge a reasonable fee based on administrative costs (Article 15(3)).
- If requests are manifestly unfounded or excessive, in particular because of their repetitive character, you may either charge a reasonable fee or refuse to act (Article 12(5)). The burden of demonstrating this is on you, the controller — apply it narrowly. A person asking once a year is normal; asking every week with no change in circumstances may be excessive.
What the response must contain
Your response has two parts:
1. A copy of the personal data
For e-mail this typically means the messages (or relevant extracts) where the requester appears — as sender, as recipient, or discussed in the content. In practice, supervisory authorities and the EDPB Guidelines 01/2022 on the right of access expect you to make a reasonable, documented search of the systems where personal data of the requester can be found, including mailboxes used for business processes.
An access response does not always require handing over full copies of every e-mail. What matters is that the data subject receives the personal data concerning them in an intelligible form. A structured summary — for example a table of date, time, correspondent, subject and the opening lines of each message — is often an appropriate and proportionate format, supplemented with full copies where the content itself is the personal data.
2. Supplementary information (Article 15(1)(a)–(h) and 15(2))
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients to whom the data has been or will be disclosed (especially recipients in third countries), and the safeguards used for third-country transfers;
- the envisaged retention period, or the criteria used to determine it;
- the existence of the rights to rectification, erasure, restriction and objection;
- the right to lodge a complaint with a supervisory authority;
- where the data was not collected from the data subject: information about its source;
- the existence of automated decision-making, including profiling, and meaningful information about the logic involved.
Much of this can be a standard cover letter that accompanies the data export.
What you may (and must) leave out
The right of access is broad, but not unlimited:
- Personal data of other people. Disclosing the export must not adversely affect the rights and freedoms of others (Article 15(4)). E-mails almost always contain third-party personal data — other senders, recipients, people discussed. Redact or remove what is not the requester's own personal data, rather than refusing the whole request.
- Trade secrets and intellectual property (Recital 63) may justify redacting specific content — but not refusing to provide any information at all.
- Legally privileged material and data whose disclosure is restricted by national law (e.g. Finnish Data Protection Act 1050/2018, section 34, which contains exceptions such as danger to health or safety, or protection of the rights of others) may be withheld — document the reasoning.
- Data that is not personal data of the requester — purely internal business content in a thread is not automatically disclosable just because the requester's name is in the header; conversely, opinions and assessments about the person generally are their personal data.
Never delete data after receiving a request to avoid disclosing it — destroying requested evidence can constitute a GDPR infringement and, in some situations, a criminal offence.
A practical workflow
- Log the request and its date. Verify the requester's identity if in doubt.
- Scope the search: which mailboxes, systems and archives can contain the person's data? Document what you searched.
- Search and export. In Outlook, the GDPR request mode of Outlook: Search to Export finds all messages in the chosen date range where the person appears as sender or recipient, in both received and sent mail, and produces a structured Excel file with date, time, direction, contact, subject and (optionally) the first lines of each message. The summary sheet records the search term, the date range, the scope of the search and the generation time — useful for documenting how you searched.
- Review before disclosure. Go through the export: redact third-party personal data, trade secrets and privileged content. Decide which full messages need to be attached.
- Add the supplementary information (purposes, recipients, retention, rights — see above) in a cover letter.
- Deliver securely — encrypted or via a secure channel, to a verified address. If the request was made electronically, provide the response in a commonly used electronic form.
- Keep a record of what was disclosed, when, and what was redacted and why.
What the add-in does — and what it does not do
The GDPR request checkbox automates step 3: it searches both received and sent mail for the named person and never skips messages (the Skip marketing email option is disabled, because an access response must not silently omit data). The export's summary sheet states the scope of the search.
The add-in searches the default Inbox and Sent Items folders of the current mailbox. If your organisation uses subfolders, archive mailboxes, shared mailboxes or other systems (CRM, ticketing, chat), search those separately. The tool does not redact third-party data and does not generate the supplementary information — those steps remain your responsibility.
All processing happens locally on your computer. The add-in sends nothing to us or anyone else.
Sanctions for getting it wrong
Ignoring or mishandling access requests is one of the most common causes of GDPR complaints. Infringements of the data subjects' rights (Articles 12–22) fall in the higher fine bracket: up to 20 million euros or 4 % of worldwide annual turnover, whichever is higher (Article 83(5)) — in addition to reputational damage and orders from the supervisory authority.
Sources and further reading
- Regulation (EU) 2016/679 (GDPR), Articles 12 and 15
- EDPB Guidelines 01/2022 on data subject rights – Right of access
- Finland: Office of the Data Protection Ombudsman – Right of access
- Finnish Data Protection Act (1050/2018), section 34 (national exceptions)