Short answer: Microsoft Copilot for Microsoft 365 (on commercial plans) can be used in a GDPR-compliant posture when correctly configured, with an appropriate Data Processing Agreement (DPA) in place and EU data residency enabled. The free consumer Microsoft Copilot (copilot.microsoft.com, the Copilot sidebar in Edge, and Copilot in Bing for personal accounts) is not suitable for processing personal data about EU data subjects in most professional contexts without additional legal review. This guide explains what the GDPR actually requires, where each Copilot product sits relative to those requirements, and the configuration steps that matter for European organizations and their legal teams. For the broader GDPR picture across all major AI tools, see GDPR and AI: A 2026 Compliance Guide and Is ChatGPT GDPR Compliant?.

The GDPR requirements that matter most for AI tools

The GDPR imposes five obligations that are directly relevant to enterprise AI tool deployment:

1. Lawful basis (Article 6). Processing personal data requires a lawful basis — typically legitimate interests, contractual necessity, or (where required) consent. Using an AI tool to process employee or customer data must be covered by an identified lawful basis and, where required by Member State law, disclosed in a privacy notice.

2. Data processor obligations (Article 28). When an AI provider processes personal data on the controller's behalf, a Data Processing Agreement (DPA) is mandatory. The DPA must specify the subject matter, duration, nature and purpose of processing, the type of personal data, categories of data subjects, and the controller's obligations and rights. A DPA that lacks these elements does not satisfy Article 28.

3. International data transfers (Articles 46–49). If personal data is transferred outside the EU/EEA, an adequate transfer mechanism must be in place. The EU-US Data Privacy Framework (DPF), Standard Contractual Clauses (SCCs), or adequacy decisions (UK, Switzerland, Japan, etc.) are the typical mechanisms.

4. Data minimization (Article 5(1)(c)). Only personal data that is adequate, relevant, and limited to what is necessary for the processing purpose may be processed. AI tools that receive more personal data than necessary (e.g., full customer files when only anonymized summaries are needed) may violate data minimization.

5. Data Protection Impact Assessments (Article 35). When processing is likely to result in high risk to individuals — including large-scale processing of personal data using new technologies — a DPIA is mandatory before the processing begins. Deploying Microsoft Copilot across an enterprise workforce that processes customer data likely triggers DPIA requirements.

Microsoft Copilot products: which tier is which

Microsoft has multiple products marketed under the "Copilot" brand. They have materially different data handling postures:

Microsoft Copilot (free / consumer):

Accessed at copilot.microsoft.com, in Edge sidebar, or via Bing with a personal Microsoft account.
Subject to Microsoft's consumer privacy policy, not enterprise data processing terms.
Not covered by the Microsoft Online Services DPA.
Not suitable for processing personal data of EU data subjects in a professional/work context.

Microsoft Copilot with Commercial Data Protection:

Available to users signed into a qualifying Microsoft Entra ID (formerly Azure AD) account with a Microsoft 365 E3/E5 or similar commercial license.
Prompts are not used to train Microsoft's foundation models.
Commercial Data Protection means prompts are not shared with third-party advertisers.
DPA coverage through Microsoft's Online Services Terms (OST) and Data Protection Addendum (DPA).
This is the baseline for GDPR-appropriate use.

Microsoft 365 Copilot (M365 Copilot):

The AI integration built into Word, Excel, PowerPoint, Teams, Outlook, and the rest of the M365 suite.
Licensed separately from the M365 suite; requires M365 Business/Enterprise plus Copilot licenses.
Processes data within your Microsoft 365 tenant boundary.
Covered by the Microsoft Online Services DPA, including SCCs for international transfers.
EU Data Boundary commitment: Microsoft's EU Data Boundary applies to M365 Copilot for European customers, meaning prompts and responses are processed and stored within the EU/EEA.
Does not use customer content to train Microsoft's foundation models.
Subject to Microsoft's standard M365 security and compliance controls (audit logs, eDiscovery, retention policies).

Microsoft Azure OpenAI Service:

API-level access to GPT-4 and other OpenAI models through Azure infrastructure.
Fully covered by the Microsoft Online Services DPA and eligible for the Microsoft HIPAA BAA.
Data does not leave Azure infrastructure; used by organizations building custom AI applications.
EU data residency available through Azure region selection.

Microsoft Copilot for Security:

AI assistant for security operations, integrated with Defender, Sentinel, and Entra.
Enterprise data handling terms.

The EU Data Boundary: what it means for Copilot

In 2023, Microsoft launched the EU Data Boundary commitment, progressively covering its commercial cloud services. As of 2026:

M365 Copilot is within the EU Data Boundary for customers in the EU/EEA when the M365 tenant is configured for EU data residency. Prompts, responses, and associated data are stored and processed within EU/EEA datacenters.
Azure OpenAI follows Azure region configuration; European customers can select EU regions to keep data in the EU.
Consumer Copilot is not covered by the EU Data Boundary.

The EU Data Boundary eliminates the need for SCCs for M365 Copilot traffic within the scope of the commitment, but organizations should confirm the specific services covered by reviewing Microsoft's EU Data Boundary documentation and ensuring their tenant data residency is correctly configured.

The Italian Garante's scrutiny of AI tools

The Italian Garante (data protection authority) issued a temporary block against ChatGPT in 2023 and has actively scrutinized AI tools for GDPR compliance. Its ChatGPT analysis identified three core concerns:

Lack of disclosed lawful basis for training on European users' data.
Accuracy obligations — AI tools generate false information about real people, potentially violating GDPR's accuracy principle.
Age verification — consumer AI tools lacked mechanisms to prevent processing children's data.

Microsoft's enterprise products are less exposed to these concerns because (a) they do not train on customer prompts, (b) they are deployed within a managed tenant rather than to the general public, and (c) enterprise customers can implement age verification and access controls. Consumer Copilot faces the same scrutiny as ChatGPT consumer products.

Completing a DPIA for Microsoft Copilot

Most organizations deploying M365 Copilot across a workforce handling personal data will need a DPIA under Article 35. A DPIA for M365 Copilot should address:

Nature and scope: What personal data categories will be processed through Copilot? (Employee data, customer data, financial data, health data — each has different risk implications.)
Purposes: What are the specific use cases for Copilot, and what is the lawful basis for each?
Necessity and proportionality: Is Copilot's access to personal data limited to what is necessary? (Copilot in M365 can access all data in your M365 environment that the user can access — this is a significant data surface area.)
Risks: What are the risks to data subjects? Consider: unauthorized disclosure through Copilot suggestions, data subjects' inability to control AI processing, inaccurate AI output affecting individuals, and prompt injection risks.
Mitigations: Sensitivity labels, restricted SharePoint permissions, DLP policies, audit logging, user training.
Residual risk and acceptance: Document the risk acceptance decision by the data controller.

Many Supervisory Authorities (DPAs) have published DPIA templates; the ICO (UK), CNIL (France), and BfDI (Germany) have all issued AI-specific DPIA guidance.

Sensitivity labels and access controls: the privacy-within-Copilot challenge

A distinctive GDPR challenge with M365 Copilot is that Copilot can surface content from across your M365 tenant that the user has access to — including content they may have access to by virtue of broad organizational permissions rather than business need. This can violate data minimization if Copilot surfaces personal data about individuals in response to prompts that don't require it.

Mitigations:

Microsoft Purview sensitivity labels: Apply labels to documents and emails containing personal data. Copilot can be configured to respect labels and avoid summarizing or surfacing highly sensitive content without explicit user intent.
SharePoint permissions review: Before deploying Copilot, audit SharePoint site permissions to ensure personal data is not overly broadly shared within the organization.
Microsoft Purview Compliance Portal: Configure DLP policies to flag when Copilot outputs contain personal data beyond the intended scope.

Frequently asked questions

Is Microsoft Copilot GDPR compliant?

M365 Copilot on a commercial M365 license, configured with EU data residency and covered by Microsoft's Online Services DPA, can be used in a GDPR-compliant posture. Consumer Copilot (copilot.microsoft.com with a personal account) is not appropriate for processing personal data of EU data subjects in a professional context. "GDPR compliant" as a label applies to the posture (tier + configuration + controls), not the product alone.

Does Microsoft use M365 Copilot data to train its AI models?

Microsoft's published terms for M365 Copilot state that Microsoft does not use customer data (including prompts and responses) to train its foundation models. This applies to commercial M365 Copilot. Consumer Copilot's terms are different — check Microsoft's consumer privacy statement for current terms.

Do we need SCCs to use M365 Copilot as a European company?

Under the EU Data Boundary commitment, M365 Copilot data for EU-based tenants is processed within the EU/EEA, which means the transfer mechanism question does not arise for in-boundary processing. If your tenant is configured for a non-EU region, SCCs from the Microsoft Online Services DPA apply. Confirm your tenant's data residency configuration in the Microsoft 365 Admin Center.

What about Copilot in Teams — does it record meetings?

Microsoft Teams with Copilot can transcribe and summarize meetings. This implicates GDPR's recording obligations: participants must be informed, and the lawful basis for recording must be identified (legitimate interests or consent, depending on the context and jurisdiction). Some Member States have specific rules about workplace recording; Germany's works council requirements, for example, may require co-determination before deploying meeting-transcription AI.

Does our existing Microsoft DPA cover Copilot?

Microsoft's Online Services DPA (formerly the Online Services Terms / DPA addendum) is updated periodically to include new services. M365 Copilot was added to the DPA scope when it became generally available. Review your current Microsoft DPA version to confirm Copilot is listed as a covered online service. If you have a legacy DPA, contact your Microsoft account team to update it.

Should we inform employees about Copilot usage in privacy notices?

Yes. If Copilot processes employee personal data (e.g., email content, Teams messages, calendars), employees must be informed under Article 13/14 of the GDPR. Update your employee privacy notice to describe the use of Copilot, the lawful basis, and how to exercise rights. This is typically done via an addendum to the existing employee privacy notice rather than a full rewrite.

Is there a risk that Copilot exposes one employee's personal data to another?

Yes, if permissions are not properly configured. Copilot can surface content the user can access in M365 — including email threads, SharePoint files, and Teams messages that contain other employees' personal data. If your SharePoint permissions are broad (e.g., large groups with access to HR or legal files), Copilot could surface personal data to employees who have technical access but no business need. Reviewing and tightening permissions before deployment is one of the most important pre-deployment steps.

A GDPR readiness checklist for M365 Copilot deployment

Confirm your M365 Copilot subscription is on a commercial license (not consumer).
Verify your Microsoft Online Services DPA covers M365 Copilot.
Configure EU data residency in the Microsoft 365 Admin Center if your organization is in the EU/EEA.
Complete a DPIA before deploying Copilot to employees who process personal data.
Review SharePoint permissions and apply sensitivity labels to personal-data-containing files.
Update your employee privacy notice to disclose Copilot use.
Configure Microsoft Purview DLP policies for AI-specific scenarios.
Enable audit logging for Copilot interactions.
Train employees on what categories of data should not be entered into Copilot prompts.
Establish a review cadence for Microsoft's DPA and EU Data Boundary documentation.

The bottom line

M365 Copilot is among the most GDPR-friendly of the major AI tools for European enterprise customers, largely because Microsoft has invested in EU data residency, dedicated data processing terms, and no-training commitments for customer data. The compliance challenge is not the product itself — it is the deployment posture: permissions that are too broad, a DPIA that was not completed, a privacy notice that was not updated, and employees who do not know what personal data should stay out of AI prompts. Get those four things right, and M365 Copilot can be a productive, compliant part of a European organization's AI strategy.

Is Microsoft Copilot GDPR Compliant? A 2026 Guide for European Teams