Privacy guide for Briefing emails

When data is processed for Briefing emails, it protects your privacy and fully complies with local regulations, such as the General Data Protection Regulation (GDPR).

Summary of key points

  • Personal and private - Your Briefing emails are personal and private and are only sent to you directly in your mailbox, which cannot be accessed by anybody else in your organization, including your IT admin or your manager.
  • Everyone's data is kept private - Briefing emails do not include any personally identifiable information about anybody else in your organization. The insights and actions are based on information generated by you and your organization just by going about your regular workday. Your Briefing emails are based on information that you already have access to but can’t quickly aggregate without help.
  • Mailbox security - Briefing email data uses Exchange Online email and calendar data and processes and stores any insights or actions inside your Exchange Online mailbox, so data security is built-in and enforced by Exchange.
  • GDPR compliant – Microsoft designed the Briefing email to comply with the GDPR.
  • Global Opt-in setting – Any user of the Exchange Online service is automatically Opted in by default to receive the Briefing email. As an individual, you can select Unsubscribe at the end of any Briefing email to opt out. Your admin can also turn Off the global Opt-in default setting and ask you to individually opt in.
  • More information is always available – Your first Briefing email describes what it is, that your data is kept private, and includes documentation links to get more details. All subsequent Briefing emails will always include informational links and the option to unsubscribe.

Your experience with Briefing emails

You can use a Briefing email to do the following:

How it works

The insights and actions in the Briefing email are based on your Exchange Online mailbox data, such as email and calendar data. The insights are derived from data that is already available to you in your Exchange Online mailbox.

For example, if you want to determine what commitments you made to others, you could manually review each email in your mailbox. The Briefing email simply saves you from this tedious process.

Privacy settings

The Briefing email provides flexible and configurable controls that are designed to enable your organization to address varying legal needs and policies regarding privacy and use of employee data. When enabling the Briefing email for your organization, admins can make the following choices.

  • Set default access for all – By default, all employees with an Exchange Online mailbox are opted in to receive the Briefing email. Your admin can turn this Opt-in setting On or Off.

    • When it is set On, all employees get the Briefing email by default. However, they can individually unsubscribe at any time.
    • When it is set Off, employees can go to and subscribe to get the Briefing email.
  • Opt in select people – Your admin can also select a group of employees to automatically get the Briefing email by default. And then turn the Opt-in setting Off for everyone else in the organization.

  • Turn Off for all - Admins can turn the Briefing email Off for all users in the organization with no option to subscribe or opt back into getting the Briefing email.

GDPR compliance

The Briefing email complies with GDPR requirements. Microsoft helps data controllers meet the following obligations for the Briefing email:

  1. Secure and protect users’ personal data. All data is stored in the employees’ Exchange Online mailbox. The computed metrics, such as tasks, are appended to the mailbox. Thus, the Briefing email meets this obligation by virtue of Exchange Online also meeting the obligation:

    • Microsoft will not mine customer data in Exchange Online for advertising.
    • Microsoft will not voluntarily disclose Exchange Online customer data to law enforcement agencies.
    • Microsoft will meet all requirements related to encryption of Exchange Online data and implement controls to reduce security risks and help ensure business continuity, as described in ISO 27001 and 27018.
  2. Notify users in the event that a breach is detected. Microsoft will notify customer privacy contacts within 72 hours of Microsoft becoming aware of a breach by using Office 365 incident response standard operating procedures.

  3. Honor user requests (DSRs) to export, delete, or restrict processing personal data. Microsoft supports your need to honor user requests in the following ways.

To learn more, see GDPR compliance

Briefing email overview