Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Microsoft 365 Copilot

Microsoft

CompliantEU: AvailableNo TrainingCustomMulti-region

Status badges are conditional: validate the exact plan, DPA, subprocessors, retention, residency, and feature settings before using the tool with personal or confidential data.

Pricing / Contract Route

Microsoft pricing varies by license and bundle

Enterprise Features

DPA with SCCs, Microsoft 365 compliance controls, EU Data Boundary where applicable, Anthropic setting review

Last Updated

June 23, 2026

Microsoft 365 Copilot - GDPR & Data Privacy Overview for European Clients

Version: June 2026 - prepared by WAIMAKERS B.V.

Recent developments: Microsoft has announced expanded local data processing for Microsoft 365 Copilot; for EU/EFTA countries (including Germany, Italy, Spain, Sweden, and Switzerland) Microsoft delivers this at a regional level aligned with the EU Data Boundary, while non-EU markets such as the UAE receive true in-country processing (targeted by end of 2026 per Microsoft's April 2026 timeline revision). Copilot Chat is covered as a Core Online Service under the EU Data Boundary, strengthening data residency coverage; its residency commitments are governed by the "Location of Customer Data at Rest for Core Online Services" section of the Microsoft Product Terms. Anthropic/Claude is now a Microsoft 365 Copilot subprocessor and can be used in supported Excel and PowerPoint Copilot experiences (Word support is planned for summer 2026). Microsoft says this app-level Anthropic setting is on by default for EU/EFTA/UK tenants created after March 25, 2026; pre-existing tenants should check Message Center and the Microsoft 365 admin center. Anthropic model processing occurs outside the EU Data Boundary. The Researcher and Analyst agents are now generally available and included in the Microsoft 365 Copilot license (GA June 2025). Note: Microsoft 365 E3 pricing is scheduled to increase to $39/user/month in July 2026. Microsoft launched Copilot Business bundles in December 2025; verify current Microsoft list pricing before purchase.

1 Purpose

This overview explains how Microsoft 365 Copilot handles data in relation to GDPR, with a focus on European customers. Microsoft 365 Copilot is an AI-powered productivity tool integrated into Microsoft 365 applications (Word, Excel, PowerPoint, Outlook, Teams, OneNote, Loop) that coordinates large language models with Microsoft Graph content and organisational data. Microsoft Corporation is a US-based company with extensive EU infrastructure and holds comprehensive enterprise compliance certifications.

2 Comparison of Microsoft 365 Copilot Deployment Options (EU focus)

Deployment Training on data? EU data residency Data boundary Admin controls Compliance Price
Microsoft 365 Copilot (Enterprise) ✅ No training on customer data ✅ Available (EU Data Boundary) ✅ Tenant-isolated ✅ Full admin dashboard, conditional access, DLP ISO 27001, SOC 2, GDPR, DPA with SCCs $30/user/month (+ base M365 license)
Microsoft 365 Copilot (Business) ✅ No training on customer data ✅ Available (regional data residency) ✅ Tenant-isolated ✅ Admin dashboard, basic controls ISO 27001, SOC 2, GDPR, DPA with SCCs $21/user/month (annual; $25.20/month monthly) (+ M365 Business license)
Microsoft Copilot (Free/Consumer) ⚠️ May use data for improvement ❌ Not available ❌ No tenant isolation ❌ No admin controls Consumer privacy policy Free (or $20/month Pro)

Notes for Europe

  • No training on customer data: Microsoft explicitly commits that Microsoft 365 Copilot does not use customer data (prompts, responses, data accessed through Microsoft Graph) to train foundation LLMs or any models outside your tenant.
  • EU data residency: Provided by the EU Data Boundary for EU-provisioned tenants; Microsoft 365 Multi-Geo is an optional add-on for controlling per-user data placement across geographies (Enterprise). Copilot interactions and semantic index are stored at rest in the appropriate local region geography. Copilot Chat is covered as a Core Online Service under the EU Data Boundary (residency governed by the Microsoft Product Terms).
  • Data Processing Addendum (DPA): All Microsoft 365 commercial customers are covered by the Microsoft Products and Services DPA, which includes Standard Contractual Clauses (SCCs) for EU data transfers.
  • Tenant isolation: Customer data stays within Microsoft 365 tenant boundaries. LLM processing occurs using Microsoft-managed infrastructure with strict isolation controls.
  • Retention: Governed by Microsoft 365 retention policies; admins can configure retention for Copilot interactions.
  • Pricing: Requires an eligible Microsoft 365 license (E3/E5, Business Basic/Standard/Premium, or equivalent). Copilot Business and bundle pricing changes frequently; verify current Microsoft list pricing before purchase.
  • Subprocessors: Anthropic/Claude is available as a Microsoft 365 Copilot subprocessor for supported Office experiences. The app-level setting is on by default for EU/EFTA/UK tenants created after March 25, 2026, and processing occurs outside the EU Data Boundary. Admins should confirm the setting for their tenant if EU Data Boundary coverage is mandatory.
  • Researcher & Analyst agents: Included in Microsoft 365 Copilot license at no additional cost (GA June 2025).

3 Is Microsoft 365 Copilot GDPR-Compliant?

Short answer: Yes. Microsoft 365 Copilot inherits the comprehensive GDPR compliance framework of Microsoft 365, including DPA with Standard Contractual Clauses, EU data residency via the EU Data Boundary (with optional Multi-Geo for per-user data placement), and enterprise-grade security certifications. Recommended for EU business deployment.

What applies to all Microsoft 365 Copilot deployments:

  • No training on customer data - Microsoft explicitly states: "Your data is your data. We do not use your Microsoft 365 customer data to train foundation LLMs for use by others outside of your tenant."
  • Data Processing Addendum with SCCs - All Microsoft 365 commercial customers are automatically covered by the DPA, which includes EU Standard Contractual Clauses.
  • Comprehensive compliance certifications - ISO 27001, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, HIPAA, GDPR, EU Model Clauses.
  • Tenant isolation - Data stays within your Microsoft 365 tenant; not shared across customers or used to improve services for others.
  • Enterprise data protection - Inherits all Microsoft 365 security: conditional access, data loss prevention (DLP), sensitivity labels, information barriers, encryption at rest and in transit.

EU data residency:

  • EU Data Boundary - For EU-provisioned tenants, Copilot interactions and the semantic index are stored at rest within the EU Data Boundary (EU + EFTA) by default. Enterprise customers can additionally use Microsoft 365 Multi-Geo to place specific users' data in named geographies.
  • Regional data commitments - Business customers receive regional data residency based on tenant country selection.
  • Expanding sovereign AI capabilities - Microsoft is rolling out additional regional data processing options, including UK in-country processing (now targeted by end of 2026 after Microsoft's April 2026 timeline revision), UAE in-country processing (announced Oct 2025, target 2026), and, for EU/EFTA countries (Germany, Italy, Spain, Sweden, and Switzerland), local inferencing delivered at a regional level aligned with the EU Data Boundary rather than per-country processing; verify current timelines as Microsoft has revised some launch dates. Copilot Chat is covered as a Core Online Service under the EU Data Boundary (residency governed by the Microsoft Product Terms).
  • LLM processing - While data at rest stays in region, real-time LLM processing may occur in Microsoft-managed infrastructure globally, but with contractual data protection commitments.

What that means in practice:

  • For EU enterprise deployment: Microsoft 365 Copilot on an EU-provisioned tenant provides EU data residency via the EU Data Boundary by default, no training on customer data, DPA with SCCs, and full admin controls (Multi-Geo is optional, for per-user data placement). Suitable for GDPR-regulated workflows.
  • For highly regulated industries: Conduct DPIA to assess data flows, but Microsoft's comprehensive compliance framework typically satisfies requirements. HIPAA BAA available for healthcare.
  • For consumer/free Copilot: Not suitable for business use. Lacks tenant isolation, DPA, admin controls, and data residency guarantees.

Buyer's note: Microsoft 365 Copilot is one of the most GDPR-compliant enterprise AI tools available, with mature data residency, comprehensive DPA/SCCs, and explicit no-training commitments. Requires existing Microsoft 365 license.

4 Details by Offering

Microsoft 365 Copilot (Enterprise: E3, E5, F1, F3)

  • No training on customer data - Microsoft does not use your data to train LLMs for others.
  • Data residency: EU data residency provided by the EU Data Boundary for EU-provisioned tenants; Microsoft 365 Multi-Geo is an optional add-on for placing specific users' data in named EU geographies. Copilot interactions and semantic index stored at rest in the EU geography.
  • Compliance: ISO 27001, SOC 2, GDPR, HIPAA-eligible with BAA, DPA with SCCs automatically applies.
  • Admin controls: Comprehensive admin dashboard, conditional access policies, data loss prevention (DLP), sensitivity labels, eDiscovery, retention policies, audit logs.
  • Tenant isolation: Data stays within Microsoft 365 tenant boundaries; not accessible to other customers.
  • Pricing: $30/user/month (requires existing Microsoft 365 E3, E5, F1, or F3 license; typically $20-57/user/month depending on tier). Note: E3 base license price increases to $39/user/month in July 2026.
  • Researcher & Analyst agents: Included in license at no additional cost (GA June 2025).
  • When to use: European enterprise deployments, regulated industries, organisations requiring EU data residency, HIPAA-covered entities (with BAA).
  • When not to use: Organisations without existing Microsoft 365 Enterprise licenses (consider Business tier or alternative platforms).

Microsoft 365 Copilot (Business: Business Standard, Business Premium)

  • No training on customer data - Same commitment as Enterprise tier.
  • Data residency: Regional data residency based on tenant billing country. EU tenants receive EU data storage.
  • Compliance: ISO 27001, SOC 2, GDPR, DPA with SCCs.
  • Admin controls: Admin dashboard, basic security controls, retention policies.
  • Tenant isolation: Same as Enterprise tier.
  • Pricing: $21/user/month (annual; $25.20/month month-to-month; $18 promo July 1-Sept 30, 2026) (requires existing Microsoft 365 Business Standard or Business Premium license; $12.50-22/user/month)
  • When to use: Small to medium European businesses with existing Microsoft 365 Business licenses, non-highly-regulated industries.
  • When not to use: Organisations requiring advanced compliance features (Multi-Geo, advanced DLP, information barriers) available only in Enterprise tiers.

Microsoft Copilot (Free / Consumer)

  • No enterprise guarantees - Consumer privacy policy applies; data may be used to improve services.
  • Data residency: Not available.
  • No tenant isolation - No organisational boundaries.
  • No admin controls - Individual user accounts only.
  • Pricing: Free (Copilot Pro: $20/month for individuals)
  • When to use: Personal research, non-business use, experimentation.
  • When not to use: Any business or organisational use; processing of personal data of EU residents; GDPR-regulated workflows.

5 Data Processing Flow

[User interacts with Copilot in Word/Outlook/Teams]
  ↓
[Microsoft 365 tenant (EU or selected region)]
  ├─ User prompt captured
  ├─ Microsoft Graph query (emails, files, calendar, chats)
  │   └─ Data stays within tenant boundary
  ├─ Semantic index (stored at rest in the EU region by default for EU-provisioned tenants; Multi-Geo controls per-user placement)
  └─ LLM processing (Microsoft-managed infrastructure)
       ├─ Customer data NOT used for training
       ├─ Processed with tenant isolation
       └─ Contractual data protection (DPA with SCCs)
  ↓
[Copilot response generated and displayed to user]
  ├─ Interaction stored per retention policy (configurable)
  └─ Audit logs available for eDiscovery

*EU-provisioned tenants: content of interactions and semantic index stored at rest in the EU Data Boundary by default; Multi-Geo controls per-user placement across geographies*
*Data in transit: Encrypted with TLS 1.2+*
*Data at rest: Encrypted with Microsoft-managed keys or customer-managed keys*

6 Recommendations (GDPR-first)

  • For European enterprise deployment, use Microsoft 365 Copilot (Enterprise) on an EU-provisioned tenant, which keeps covered Copilot data in the EU Data Boundary by default; use Microsoft 365 Multi-Geo only if you need to place specific users' data in named geographies. Review and accept DPA with SCCs (automatically provided).
  • For small/medium businesses in EU, Microsoft 365 Copilot (Business) provides strong GDPR compliance with regional data residency, DPA/SCCs, and no training on customer data.
  • For highly regulated industries (healthcare, finance), Microsoft 365 Copilot is HIPAA-eligible with executed BAA. Conduct DPIA and document data flows, but Microsoft's compliance framework is comprehensive.
  • Configure retention policies for Copilot interactions to align with organisational data retention requirements.
  • Enable Data Loss Prevention (DLP) and sensitivity labels to prevent accidental sharing of sensitive data through Copilot.
  • Do not use consumer/free Copilot for business purposes - it lacks tenant isolation, DPA, admin controls, and data residency guarantees.

7 EU Rollout Checklist (Practical)

  1. Verify existing Microsoft 365 license eligibility - Enterprise (E3/E5) or Business (Standard/Premium) license required before purchasing Copilot add-on.
  2. Review Data Processing Addendum (DPA) - DPA with Standard Contractual Clauses automatically applies to all Microsoft 365 commercial customers. Download from Microsoft licensing portal.
  3. Confirm tenant region / EU Data Boundary coverage - For an EU-provisioned tenant, Copilot interactions and semantic index are stored at rest in the EU Data Boundary by default. Add Microsoft 365 Multi-Geo only if you need to place specific users' data in named geographies (contact Microsoft licensing).
  4. Conduct Data Protection Impact Assessment (DPIA) - Document Copilot data flows, Microsoft's data protection measures (DPA, SCCs, encryption, tenant isolation), and necessity/proportionality.
  5. Configure retention and eDiscovery policies - Set retention periods for Copilot interactions in Microsoft 365 compliance center; enable eDiscovery for legal hold requirements.
  6. Enable Data Loss Prevention (DLP) and sensitivity labels - Configure DLP policies to prevent sharing of sensitive/confidential data through Copilot; apply sensitivity labels to restrict Copilot access to classified documents.
  7. Train users on responsible AI use - Establish guidelines on appropriate Copilot use, sensitive data handling, and limitations of AI-generated content.
  8. Update privacy notice - Disclose Microsoft 365 Copilot usage, data processing by Microsoft (as processor), EU data transfers (SCCs), and data subject rights.
  9. For healthcare: Execute Business Associate Agreement (BAA) with Microsoft before processing PHI.

8 Procurement Quick Answers (EU)

Is EU data residency available?

Yes. For EU-provisioned tenants, Copilot interactions and the semantic index are stored at rest in the EU Data Boundary by default. Microsoft 365 Multi-Geo is an optional add-on (additional cost) for placing specific users' data in named geographies. Business customers receive regional data residency based on tenant region.

Does Microsoft train AI models on our data?

No. Microsoft explicitly states: "We do not use your Microsoft 365 customer data to train foundation LLMs for use by others outside of your tenant." Customer data stays within tenant boundaries.

Is a DPA available?

Yes. The Microsoft Products and Services Data Processing Addendum (DPA) automatically applies to all Microsoft 365 commercial customers and includes EU Standard Contractual Clauses (SCCs).

What certifications does Microsoft hold?

ISO 27001, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, HIPAA (with BAA), GDPR, EU Model Clauses, and many others. Full list at Microsoft Trust Center.

What data does Copilot access?

Copilot accesses data the user has permission to access within Microsoft 365 (emails, files, calendar, chats, documents). It respects existing permissions and does not grant users access to data they couldn't already see.

Can we use Copilot for healthcare data (PHI)?

Yes, with executed Business Associate Agreement (BAA). Microsoft 365 is HIPAA-eligible. Contact Microsoft to arrange BAA before processing PHI.

What happens to our data if we cancel Copilot?

Copilot interactions are subject to Microsoft 365 retention policies. Upon license removal, data is retained or deleted per configured retention policy. No data is used for training.

Does Copilot work offline?

No. Microsoft 365 Copilot requires internet connectivity to access Microsoft Graph and LLM processing infrastructure.

What is Microsoft 365 Multi-Geo and do we need it?

Multi-Geo allows Enterprise customers to place specific users' data at rest in named geographic regions. It is aimed at multinational organisations; an EU-provisioned tenant already receives EU data residency via the EU Data Boundary without it (and purchasing Multi-Geo removes the tenant from EU Data Boundary scope). Available as add-on to Enterprise licenses.

9 Notes & Caveats

  • Requires existing Microsoft 365 license: Copilot is an add-on ($30/user/month for Enterprise; $21/user/month annual, $25.20/month for Business since Dec 1, 2025) and requires active Microsoft 365 E3/E5, Business Standard/Premium, or equivalent license ($12.50-57/user/month). Alternative bundled SMB SKUs (Dec 2025) combine base license + Copilot at $27-43/user/month. Verify current Microsoft list pricing before purchase.
  • E3 price increase: Microsoft 365 E3 base license increases to $39/user/month in July 2026; plan budget accordingly.
  • Anthropic/Claude subprocessor: The app-level Anthropic setting for Excel and PowerPoint Copilot (Word support planned for summer 2026) is on by default for EU/EFTA/UK tenants created after March 25, 2026; pre-existing tenants should check their Message Center and admin center defaults. Anthropic processing is excluded from the EU Data Boundary, so admins should disable or tightly govern it where EUDB-only processing is required.
  • Multi-Geo is an optional add-on: EU data residency is provided by the EU Data Boundary for EU-provisioned tenants by default. Microsoft 365 Multi-Geo is a separate paid add-on (requires an Enterprise/CSP agreement) only for placing specific users' data in named geographies; it is not required for EU residency (in fact purchasing it removes the tenant from EU Data Boundary scope). Business customers receive regional residency by default.
  • LLM processing may occur globally: While data at rest stays inside the EU Data Boundary for EU/EFTA tenants by default, real-time LLM inference may use Microsoft-managed infrastructure globally. Microsoft provides contractual data protection (DPA, SCCs) and tenant isolation.
  • Oversharing risk: Copilot can access any data the user has permission to see. Organisations should audit and remediate overpermissioned files before enabling Copilot to prevent accidental exposure of sensitive data.
  • AI output accuracy: Copilot can generate plausible but incorrect content ("hallucinations"). Users should verify critical information, especially for regulated/high-stakes use cases.
  • Web grounding optional: Copilot can optionally use Bing search for web-grounded responses. When enabled, queries may be processed outside EU. Admins can disable via controls.
  • Consumer Copilot ≠ Microsoft 365 Copilot: The free "Microsoft Copilot" (consumer version) lacks enterprise protections. Ensure users access Copilot through Microsoft 365 apps (Word, Outlook, Teams) with organisational accounts, not personal Microsoft accounts.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Microsoft 365 Copilot in production environments - especially when processing personal data, special category data, or protected health information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - June 2026.

References

  • Microsoft 365 Copilot - Enterprise Data Protection - https://learn.microsoft.com/en-us/copilot/microsoft-365/enterprise-data-protection
  • Microsoft 365 Copilot - Data Protection Architecture - https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-architecture-data-protection-auditing
  • Microsoft 365 Copilot - Data, Privacy, and Security - https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/data-privacy-security
  • Copilot in Microsoft 365 apps with Anthropic models - https://learn.microsoft.com/en-us/microsoft-365/copilot/copilot-anthropic-apps
  • Microsoft 365 Copilot - Privacy and Protections - https://learn.microsoft.com/en-au/copilot/privacy-and-protections
  • Microsoft 365 Copilot - Transparency Note - https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-transparency-note
  • Microsoft Products and Services Data Processing Addendum - https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
  • Microsoft Trust Center - GDPR Overview - https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy