ChatGPT & Microsoft Copilot GDPR Compliance Report - European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

1 Purpose

This report provides European clients with insights into how ChatGPT and Microsoft Copilot subscriptions handle personal data in relation to the General Data Protection Regulation (GDPR). Both platforms use large language models but differ in enterprise data protection and compliance.

2. ChatGPT Comparison of Versions

Plan	GDPR-Compliant?	EU Data Residency	Processing/Storage	Retention	Guide Price*	DPA / Policy Quote
Free / Plus	⚠️ Limited for business	❌ No	Global; U.S.-based infra	Undefined; persists unless deleted	€23/mo (incl. VAT NL)	“Business data not used for training; consumer plans can opt out.”
ChatGPT Business (renamed from Team, Aug 29, 2025)	✅ Yes	❌ No (no EU-only option yet)	OpenAI infra; contracting via OpenAI Ireland Ltd.	Deleted/unsaved chats removed ≤30 days	€30/seat/mo (monthly) or €25/seat/mo (annual), excl. VAT; credit pack system available for overflow usage	“We do not train on business data by default.” DPA available.
ChatGPT Enterprise / Edu	✅ Yes	✅ Yes (EU at-rest + EU inference residency since Jan 2026)	Content stored at rest in EU; inference also processed in EU for new workspaces	Admin configurable; deleted chats removed ≤30 days	Custom (EUR)	“Enterprise/Edu customers can store content at rest in Europe.” EU inference residency added Jan 2026.
OpenAI API (Business/Edu)	✅ Yes	✅ Yes (EU option; in-country processing expanding to DE/IT/ES/SE/CH in 2026)	EU residency possible; ZDR by default for eligible endpoints	Default 7 days (reduced from 30); ZDR optional	Usage-based (USD list; invoiced in EUR)	“API I/O may be retained ≤7 days; ZDR available. Eligible customers can process in EU.”

Guide prices based on publicly available info as of March 2026. VAT handling varies by plan/company status.

3. Microsoft Copilot Comparison of Versions

Plan	GDPR-Compliant?	EU Data Residency	Processing/Storage	Retention	Guide Price*	DPA / Policy Quote
Microsoft Copilot (web)	⚠️ Limited	❌ No	Global datacenters; consumer terms	Not specified	Free	Consumer protections only; no M365 DPA.
Copilot Pro (consumer)	⚠️ Limited	❌ No	Global datacenters; consumer terms	Not specified	€22/user/mo	Personal plan; no M365 DPA.
M365 Copilot Chat (work)	✅ Yes	✅ Yes (EU Data Boundary)	Commercial tenant w/ Entra ID; ⚠️ web search excluded	Configurable via Purview/M365	Included with eligible M365 license	Covered by DPA & EU Data Boundary; web search excluded. Now a Core Online Service under EU Data Boundary (Sept 2025).
M365 Copilot (add-on)	✅ Yes	✅ Yes (EU Data Boundary)	EU Data Boundary for M365 content	Configurable via M365 policies	€28.10/user/mo (annual, excl. VAT); new bundled SMB SKUs (Dec 2025): Basic+Copilot , Standard+Copilot .50, Premium+Copilot . M365 E3 price rises to \9 effective July 2026.	Prompts/responses not used to train; GDPR compliant. ⚠️ Anthropic/Claude added as M365 subprocessor (Jan 2026); OFF by default for EU tenants and excluded from EU Data Boundary.
GitHub Copilot Business	✅ Yes	⚠️ Conditional	Depends on tenant & GitHub region	~30 days	$19 USD/user/mo (EUR billed at FX)	Covered by GitHub Enterprise DPA; separate from M365.
Microsoft Security Copilot	✅ Yes	⚠️ Limited	Azure datacenters; SCU workloads	Usage-based; retention per product	Priced per SCU/hour	Capacity billed hourly per SCU.

Guide prices as of Sept 2025, excl. VAT/discounts.

4. Key Differences

Foundation: Both use OpenAI models.
ChatGPT: General-purpose assistant (standalone app + API).
Copilot: Productivity AI in Microsoft 365, GitHub, Security.
Compliance:
- ChatGPT: EU at-rest + EU inference residency (Jan 2026) for Enterprise/Edu; API EU region + ZDR; API retention reduced to 7 days.
- Copilot: EU Data Boundary (M365); ⚠️ web search excluded; Anthropic/Claude subprocessor OFF by default for EU.

5. GDPR Recommendations

General use: ChatGPT Business or Enterprise (EU at-rest).
M365 productivity: M365 Copilot add-on; disable web search.
Dev work: GitHub Copilot Business or ChatGPT Enterprise.
Security ops: Microsoft Security Copilot with SCU controls.

6. Compliance Considerations

ChatGPT: Free/Plus unsuitable for personal data; Business lacks EU residency; Enterprise/Edu needed for EU storage; ChatGPT Go has no GDPR protections whatsoever.
Copilot: Web search outside EU Data Boundary; consumer plans lack DPAs; Anthropic/Claude now a subprocessor but excluded from EU Data Boundary and OFF by default for EU tenants.
Shared: Conduct DPIA, review DPAs, train staff.
Regulatory actions: Italy’s Garante fined OpenAI €15M (Dec 2024) for GDPR violations related to ChatGPT. The EDPB issued an Art. 64 opinion on AI model training and personal data (2025). The Irish DPC is the lead supervisory authority for OpenAI in Europe.

7. Cost Comparison (Illustrative)

Small team (10 users):
- ChatGPT Business: ~€300/mo excl. VAT.
- M365 Copilot add-on: ~€281/mo excl. VAT (annual).
Medium enterprise (100 users):
- M365 Copilot add-on: ~€2,810/mo excl. VAT (annual).
- ChatGPT Enterprise: Custom.
Security Copilot: SCU/hour, variable.

8. Implementation Roadmap

Assessment (Weeks 1-2): DPIA, licensing, use cases.
Pilot (Weeks 3-6): Configure retention/DLP; monitor usage.
Rollout (Weeks 7-12): Training, governance, compliance review.

9. Disclaimer

This report is informational only and not legal advice. Verify terms directly with vendors. WAIMAKERS B.V. applies these principles internally but cannot be held liable. Compliance responsibility rests with the customer.

References

OpenAI:

https://openai.com/enterprise-privacy - OpenAI Enterprise Privacy
https://openai.com/index/introducing-data-residency-in-europe - OpenAI Data Residency in Europe
https://help.openai.com/en/articles/9985383-data-residency-for-chatgpt - Data Residency for ChatGPT (incl. EU inference residency, Jan 2026)
https://help.openai.com/en/articles/10124943-data-residency-for-the-openai-api - Data Residency for the OpenAI API
https://openai.com/policies/data-processing-addendum - OpenAI Data Processing Addendum (updated Jan 1, 2026)

Microsoft Copilot:

https://learn.microsoft.com/microsoft-365-copilot/microsoft-365-copilot-privacy - Microsoft 365 Copilot Privacy Documentation
https://learn.microsoft.com/en-us/microsoft-365/compliance/microsoft-365-copilot-subprocessors - Microsoft 365 Copilot Subprocessors (incl. Anthropic/Claude, Jan 2026)

Regulatory:

https://www.garanteprivacy.it/ - Italy Garante €15M fine on OpenAI (December 2024)
https://www.edpb.europa.eu/ - EDPB Art. 64 Opinion on AI model training and personal data (2025)

Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying ChatGPT or Microsoft Copilot in production environments - especially when personal data, proprietary business information, or confidential content are processed. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

2. ChatGPT Comparison of Versions

Plan

GDPR-Compliant?

EU Data Residency

Processing/Storage

Retention

Guide Price*

DPA / Policy Quote

Free / Plus

⚠️ Limited for business

❌ No

Global; U.S.-based infra

Undefined; persists unless deleted

€23/mo (incl. VAT NL)

“Business data not used for training; consumer plans can opt out.”

ChatGPT Business (renamed from Team, Aug 29, 2025)

✅ Yes

❌ No (no EU-only option yet)

OpenAI infra; contracting via OpenAI Ireland Ltd.

Deleted/unsaved chats removed ≤30 days

€30/seat/mo (monthly) or €25/seat/mo (annual), excl. VAT; credit pack system available for overflow usage

“We do not train on business data by default.” DPA available.

ChatGPT Enterprise / Edu

✅ Yes

✅ Yes (EU at-rest + EU inference residency since Jan 2026)

Content stored at rest in EU; inference also processed in EU for new workspaces

Admin configurable; deleted chats removed ≤30 days

Custom (EUR)

“Enterprise/Edu customers can store content at rest in Europe.” EU inference residency added Jan 2026.

OpenAI API (Business/Edu)

✅ Yes

✅ Yes (EU option; in-country processing expanding to DE/IT/ES/SE/CH in 2026)

EU residency possible; ZDR by default for eligible endpoints

Default 7 days (reduced from 30); ZDR optional

Usage-based (USD list; invoiced in EUR)

“API I/O may be retained ≤7 days; ZDR available. Eligible customers can process in EU.”

Guide prices based on publicly available info as of March 2026. VAT handling varies by plan/company status.

3. Microsoft Copilot Comparison of Versions

Plan

GDPR-Compliant?

EU Data Residency

Processing/Storage

Retention

Guide Price*

DPA / Policy Quote

Microsoft Copilot (web)

⚠️ Limited

❌ No

Global datacenters; consumer terms

Not specified

Free

Consumer protections only; no M365 DPA.

Copilot Pro (consumer)

⚠️ Limited

❌ No

Global datacenters; consumer terms

Not specified

€22/user/mo

Personal plan; no M365 DPA.

M365 Copilot Chat (work)

✅ Yes

✅ Yes (EU Data Boundary)

Commercial tenant w/ Entra ID; ⚠️ web search excluded

Configurable via Purview/M365

Included with eligible M365 license

Covered by DPA & EU Data Boundary; web search excluded. Now a Core Online Service under EU Data Boundary (Sept 2025).

M365 Copilot (add-on)

✅ Yes

✅ Yes (EU Data Boundary)

EU Data Boundary for M365 content

Configurable via M365 policies

€28.10/user/mo (annual, excl. VAT); new bundled SMB SKUs (Dec 2025): Basic+Copilot , Standard+Copilot .50, Premium+Copilot . M365 E3 price rises to \9 effective July 2026.

Prompts/responses not used to train; GDPR compliant. ⚠️ Anthropic/Claude added as M365 subprocessor (Jan 2026); OFF by default for EU tenants and excluded from EU Data Boundary.

GitHub Copilot Business

✅ Yes

⚠️ Conditional

Depends on tenant & GitHub region

~30 days

$19 USD/user/mo (EUR billed at FX)

Covered by GitHub Enterprise DPA; separate from M365.

Microsoft Security Copilot

✅ Yes

⚠️ Limited

Azure datacenters; SCU workloads

Usage-based; retention per product

Priced per SCU/hour

Capacity billed hourly per SCU.

Guide prices as of Sept 2025, excl. VAT/discounts.

4. Key Differences

Foundation: Both use OpenAI models.

ChatGPT: General-purpose assistant (standalone app + API).

Copilot: Productivity AI in Microsoft 365, GitHub, Security.

Compliance:

ChatGPT: EU at-rest + EU inference residency (Jan 2026) for Enterprise/Edu; API EU region + ZDR; API retention reduced to 7 days.
Copilot: EU Data Boundary (M365); ⚠️ web search excluded; Anthropic/Claude subprocessor OFF by default for EU.

6. Compliance Considerations

ChatGPT: Free/Plus unsuitable for personal data; Business lacks EU residency; Enterprise/Edu needed for EU storage; ChatGPT Go has no GDPR protections whatsoever.

Copilot: Web search outside EU Data Boundary; consumer plans lack DPAs; Anthropic/Claude now a subprocessor but excluded from EU Data Boundary and OFF by default for EU tenants.

Shared: Conduct DPIA, review DPAs, train staff.

Regulatory actions: Italy’s Garante fined OpenAI €15M (Dec 2024) for GDPR violations related to ChatGPT. The EDPB issued an Art. 64 opinion on AI model training and personal data (2025). The Irish DPC is the lead supervisory authority for OpenAI in Europe.

Disclaimer

Prepared and issued by WAIMAKERS B.V. - March 2026.

ChatGPT & Copilot (EU)

Need help navigating AI?

ChatGPT & Copilot (EU)

Need help navigating AI?