Skip to main content
WAIMAKERS
About UsCareersContact
|
Schedule Free Call
Back to overview

Microsoft 365 Copilot

Microsoft

CompliantEU: AvailableNo TrainingCustomMulti-region

Business Plan Price

$30/user/month (bundled from $27)

Enterprise Features

DPA with SCCs, EU data residency, in-country processing (DE/IT/ES/SE/CH 2026), SOC 2, ISO 27001

Last Updated

March 23, 2026

Microsoft 365 Copilot - GDPR & Data Privacy Overview for European Clients

Version: March 2026 - prepared by WAIMAKERS B.V.

Recent developments: Microsoft announced UK-specific data storage for ChatGPT Enterprise customers (Oct 22, 2025) and in-country data processing for Microsoft 365 Copilot in the UAE, available early 2026. Copilot Chat became a Core Online Service under the EU Data Boundary in September 2025, strengthening data residency coverage. Anthropic/Claude was added as a subprocessor in January 2026 (OFF by default for EU customers, excluded from EU Data Boundary). In-country processing is planned for Germany, Italy, Spain, Sweden, and Switzerland in 2026. The Researcher and Analyst agents are now generally available and included in the Microsoft 365 Copilot license (GA June 2025). Note: Microsoft 365 E3 pricing is scheduled to increase to $39/user/month in July 2026. New bundled SMB SKUs launched December 2025: Microsoft 365 Business Basic + Copilot at $27/user/month, Business Standard + Copilot at $33.50/user/month, and Business Premium + Copilot at $43/user/month.

1 Purpose

This overview explains how Microsoft 365 Copilot handles data in relation to GDPR, with a focus on European customers. Microsoft 365 Copilot is an AI-powered productivity tool integrated into Microsoft 365 applications (Word, Excel, PowerPoint, Outlook, Teams, OneNote, Loop) that coordinates large language models with Microsoft Graph content and organisational data. Microsoft Corporation is a US-based company with extensive EU infrastructure and holds comprehensive enterprise compliance certifications.

2 Comparison of Microsoft 365 Copilot Deployment Options (EU focus)

Deployment Training on data? EU data residency Data boundary Admin controls Compliance Price
Microsoft 365 Copilot (Enterprise) ✅ No training on customer data ✅ Available (Multi-Geo required) ✅ Tenant-isolated ✅ Full admin dashboard, conditional access, DLP ISO 27001, SOC 2, GDPR, DPA with SCCs $30/user/month (+ base M365 license)
Microsoft 365 Copilot (Business) ✅ No training on customer data ✅ Available (regional data residency) ✅ Tenant-isolated ✅ Admin dashboard, basic controls ISO 27001, SOC 2, GDPR, DPA with SCCs $30/user/month (+ M365 Business license)
Microsoft Copilot (Free/Consumer) ⚠️ May use data for improvement ❌ Not available ❌ No tenant isolation ❌ No admin controls Consumer privacy policy Free (or $20/month Pro)

Notes for Europe

  • No training on customer data: Microsoft explicitly commits that Microsoft 365 Copilot does not use customer data (prompts, responses, data accessed through Microsoft Graph) to train foundation LLMs or any models outside your tenant.
  • EU data residency: Available via Microsoft 365 Multi-Geo (Enterprise) or regional data commitments (Business). Copilot interactions and semantic index are stored at rest in the appropriate local region geography. Copilot Chat is now a Core Online Service under the EU Data Boundary (Sept 2025).
  • Data Processing Addendum (DPA): All Microsoft 365 commercial customers are covered by the Microsoft Products and Services DPA, which includes Standard Contractual Clauses (SCCs) for EU data transfers.
  • Tenant isolation: Customer data stays within Microsoft 365 tenant boundaries. LLM processing occurs using Microsoft-managed infrastructure with strict isolation controls.
  • Retention: Governed by Microsoft 365 retention policies; admins can configure retention for Copilot interactions.
  • Pricing: Requires existing Microsoft 365 license (E3/E5, Business Standard/Premium, or equivalent). Copilot is a $30/user/month add-on. New bundled SMB SKUs (Dec 2025): Basic+Copilot $27, Standard+Copilot $33.50, Premium+Copilot $43 per user/month.
  • Subprocessors: Anthropic/Claude added as subprocessor (Jan 2026); OFF by default for EU customers and excluded from EU Data Boundary.
  • Researcher & Analyst agents: Included in Microsoft 365 Copilot license at no additional cost (GA June 2025).

3 Is Microsoft 365 Copilot GDPR-Compliant?

Short answer: Yes. Microsoft 365 Copilot inherits the comprehensive GDPR compliance framework of Microsoft 365, including DPA with Standard Contractual Clauses, EU data residency options (Multi-Geo), and enterprise-grade security certifications. Recommended for EU business deployment.

What applies to all Microsoft 365 Copilot deployments:

  • No training on customer data - Microsoft explicitly states: "Your data is your data. We do not use your Microsoft 365 customer data to train foundation LLMs for use by others outside of your tenant."
  • Data Processing Addendum with SCCs - All Microsoft 365 commercial customers are automatically covered by the DPA, which includes EU Standard Contractual Clauses.
  • Comprehensive compliance certifications - ISO 27001, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, HIPAA, GDPR, EU Model Clauses.
  • Tenant isolation - Data stays within your Microsoft 365 tenant; not shared across customers or used to improve services for others.
  • Enterprise data protection - Inherits all Microsoft 365 security: conditional access, data loss prevention (DLP), sensitivity labels, information barriers, encryption at rest and in transit.

EU data residency:

  • Microsoft 365 Multi-Geo - Enterprise customers can store Copilot interactions and semantic index in specific EU data centers (e.g., EU Data Boundary covering France, Germany, Netherlands, Sweden, etc.).
  • Regional data commitments - Business customers receive regional data residency based on tenant country selection.
  • Expanding sovereign AI capabilities - Microsoft is rolling out additional regional data processing options, including UK-specific storage (announced Oct 2025), UAE in-country processing (launching early 2026), and planned in-country processing for Germany, Italy, Spain, Sweden, and Switzerland in 2026. Copilot Chat is now a Core Online Service under the EU Data Boundary (Sept 2025).
  • LLM processing - While data at rest stays in region, real-time LLM processing may occur in Microsoft-managed infrastructure globally, but with contractual data protection commitments.

What that means in practice:

  • For EU enterprise deployment: Microsoft 365 Copilot with Multi-Geo provides EU data residency, no training on customer data, DPA with SCCs, and full admin controls. Suitable for GDPR-regulated workflows.
  • For highly regulated industries: Conduct DPIA to assess data flows, but Microsoft's comprehensive compliance framework typically satisfies requirements. HIPAA BAA available for healthcare.
  • For consumer/free Copilot: Not suitable for business use. Lacks tenant isolation, DPA, admin controls, and data residency guarantees.

Buyer's note: Microsoft 365 Copilot is one of the most GDPR-compliant enterprise AI tools available, with mature data residency, comprehensive DPA/SCCs, and explicit no-training commitments. Requires existing Microsoft 365 license.

4 Details by Offering

Microsoft 365 Copilot (Enterprise: E3, E5, F1, F3)

  • No training on customer data - Microsoft does not use your data to train LLMs for others.
  • Data residency: EU data residency available via Microsoft 365 Multi-Geo add-on. Copilot interactions and semantic index stored at rest in selected EU geography.
  • Compliance: ISO 27001, SOC 2, GDPR, HIPAA-eligible with BAA, DPA with SCCs automatically applies.
  • Admin controls: Comprehensive admin dashboard, conditional access policies, data loss prevention (DLP), sensitivity labels, eDiscovery, retention policies, audit logs.
  • Tenant isolation: Data stays within Microsoft 365 tenant boundaries; not accessible to other customers.
  • Pricing: $30/user/month (requires existing Microsoft 365 E3, E5, F1, or F3 license; typically $20-57/user/month depending on tier). Note: E3 base license price increases to $39/user/month in July 2026.
  • Researcher & Analyst agents: Included in license at no additional cost (GA June 2025).
  • When to use: European enterprise deployments, regulated industries, organisations requiring EU data residency, HIPAA-covered entities (with BAA).
  • When not to use: Organisations without existing Microsoft 365 Enterprise licenses (consider Business tier or alternative platforms).

Microsoft 365 Copilot (Business: Business Standard, Business Premium)

  • No training on customer data - Same commitment as Enterprise tier.
  • Data residency: Regional data residency based on tenant billing country. EU tenants receive EU data storage.
  • Compliance: ISO 27001, SOC 2, GDPR, DPA with SCCs.
  • Admin controls: Admin dashboard, basic security controls, retention policies.
  • Tenant isolation: Same as Enterprise tier.
  • Pricing: $30/user/month (requires existing Microsoft 365 Business Standard or Business Premium license; $12.50-22/user/month)
  • When to use: Small to medium European businesses with existing Microsoft 365 Business licenses, non-highly-regulated industries.
  • When not to use: Organisations requiring advanced compliance features (Multi-Geo, advanced DLP, information barriers) available only in Enterprise tiers.

Microsoft Copilot (Free / Consumer)

  • No enterprise guarantees - Consumer privacy policy applies; data may be used to improve services.
  • Data residency: Not available.
  • No tenant isolation - No organisational boundaries.
  • No admin controls - Individual user accounts only.
  • Pricing: Free (Copilot Pro: $20/month for individuals)
  • When to use: Personal research, non-business use, experimentation.
  • When not to use: Any business or organisational use; processing of personal data of EU residents; GDPR-regulated workflows.

5 Data Processing Flow

[User interacts with Copilot in Word/Outlook/Teams]
  ↓
[Microsoft 365 tenant (EU or selected region)]
  ├─ User prompt captured
  ├─ Microsoft Graph query (emails, files, calendar, chats)
  │   └─ Data stays within tenant boundary
  ├─ Semantic index (stored at rest in EU region if Multi-Geo enabled)
  └─ LLM processing (Microsoft-managed infrastructure)
       ├─ Customer data NOT used for training
       ├─ Processed with tenant isolation
       └─ Contractual data protection (DPA with SCCs)
  ↓
[Copilot response generated and displayed to user]
  ├─ Interaction stored per retention policy (configurable)
  └─ Audit logs available for eDiscovery

*Multi-Geo: Data at rest stored in EU geography*
*Data in transit: Encrypted with TLS 1.2+*
*Data at rest: Encrypted with Microsoft-managed keys or customer-managed keys*

6 Recommendations (GDPR-first)

  • For European enterprise deployment, use Microsoft 365 Copilot (Enterprise) with Microsoft 365 Multi-Geo to ensure EU data residency. Review and accept DPA with SCCs (automatically provided).
  • For small/medium businesses in EU, Microsoft 365 Copilot (Business) provides strong GDPR compliance with regional data residency, DPA/SCCs, and no training on customer data.
  • For highly regulated industries (healthcare, finance), Microsoft 365 Copilot is HIPAA-eligible with executed BAA. Conduct DPIA and document data flows, but Microsoft's compliance framework is comprehensive.
  • Configure retention policies for Copilot interactions to align with organisational data retention requirements.
  • Enable Data Loss Prevention (DLP) and sensitivity labels to prevent accidental sharing of sensitive data through Copilot.
  • Do not use consumer/free Copilot for business purposes - it lacks tenant isolation, DPA, admin controls, and data residency guarantees.

7 EU Rollout Checklist (Practical)

  1. Verify existing Microsoft 365 license eligibility - Enterprise (E3/E5) or Business (Standard/Premium) license required before purchasing Copilot add-on.
  2. Review Data Processing Addendum (DPA) - DPA with Standard Contractual Clauses automatically applies to all Microsoft 365 commercial customers. Download from Microsoft licensing portal.
  3. Enable Microsoft 365 Multi-Geo (if Enterprise) - Configure EU data residency for Copilot interactions and semantic index (requires Multi-Geo add-on; contact Microsoft licensing).
  4. Conduct Data Protection Impact Assessment (DPIA) - Document Copilot data flows, Microsoft's data protection measures (DPA, SCCs, encryption, tenant isolation), and necessity/proportionality.
  5. Configure retention and eDiscovery policies - Set retention periods for Copilot interactions in Microsoft 365 compliance center; enable eDiscovery for legal hold requirements.
  6. Enable Data Loss Prevention (DLP) and sensitivity labels - Configure DLP policies to prevent sharing of sensitive/confidential data through Copilot; apply sensitivity labels to restrict Copilot access to classified documents.
  7. Train users on responsible AI use - Establish guidelines on appropriate Copilot use, sensitive data handling, and limitations of AI-generated content.
  8. Update privacy notice - Disclose Microsoft 365 Copilot usage, data processing by Microsoft (as processor), EU data transfers (SCCs), and data subject rights.
  9. For healthcare: Execute Business Associate Agreement (BAA) with Microsoft before processing PHI.

8 Procurement Quick Answers (EU)

Is EU data residency available?

Yes. Enterprise customers can enable EU data residency via Microsoft 365 Multi-Geo (additional cost; stores Copilot interactions and semantic index in EU). Business customers receive regional data residency based on tenant billing country.

Does Microsoft train AI models on our data?

No. Microsoft explicitly states: "We do not use your Microsoft 365 customer data to train foundation LLMs for use by others outside of your tenant." Customer data stays within tenant boundaries.

Is a DPA available?

Yes. The Microsoft Products and Services Data Processing Addendum (DPA) automatically applies to all Microsoft 365 commercial customers and includes EU Standard Contractual Clauses (SCCs).

What certifications does Microsoft hold?

ISO 27001, ISO 27018, ISO 27701, SOC 1, SOC 2, SOC 3, HIPAA (with BAA), GDPR, EU Model Clauses, and many others. Full list at Microsoft Trust Center.

What data does Copilot access?

Copilot accesses data the user has permission to access within Microsoft 365 (emails, files, calendar, chats, documents). It respects existing permissions and does not grant users access to data they couldn't already see.

Can we use Copilot for healthcare data (PHI)?

Yes, with executed Business Associate Agreement (BAA). Microsoft 365 is HIPAA-eligible. Contact Microsoft to arrange BAA before processing PHI.

What happens to our data if we cancel Copilot?

Copilot interactions are subject to Microsoft 365 retention policies. Upon license removal, data is retained or deleted per configured retention policy. No data is used for training.

Does Copilot work offline?

No. Microsoft 365 Copilot requires internet connectivity to access Microsoft Graph and LLM processing infrastructure.

What is Microsoft 365 Multi-Geo and do we need it?

Multi-Geo allows Enterprise customers to store data at rest in specific geographic regions (e.g., EU Data Boundary). Recommended for organisations with hard EU data residency requirements. Available as add-on to Enterprise licenses.

9 Notes & Caveats

  • Requires existing Microsoft 365 license: Copilot is an add-on ($30/user/month) and requires active Microsoft 365 E3/E5, Business Standard/Premium, or equivalent license ($12.50-57/user/month). Total cost: $42.50-87/user/month. Alternative bundled SMB SKUs (Dec 2025) combine base license + Copilot at $27-43/user/month.
  • E3 price increase: Microsoft 365 E3 base license increases to $39/user/month in July 2026; plan budget accordingly.
  • Anthropic/Claude subprocessor: Added Jan 2026. Disabled by default for EU customers; excluded from EU Data Boundary. Admins should verify this remains disabled if Claude processing is not desired.
  • Multi-Geo is additional cost: EU data residency for Enterprise customers requires Microsoft 365 Multi-Geo add-on (pricing varies; contact Microsoft licensing). Business customers receive regional residency by default.
  • LLM processing may occur globally: While data at rest stays in EU (with Multi-Geo), real-time LLM inference may use Microsoft-managed infrastructure globally. Microsoft provides contractual data protection (DPA, SCCs) and tenant isolation.
  • Oversharing risk: Copilot can access any data the user has permission to see. Organisations should audit and remediate overpermissioned files before enabling Copilot to prevent accidental exposure of sensitive data.
  • AI output accuracy: Copilot can generate plausible but incorrect content ("hallucinations"). Users should verify critical information, especially for regulated/high-stakes use cases.
  • Web grounding optional: Copilot can optionally use Bing search for web-grounded responses. When enabled, queries may be processed outside EU. Admins can disable via controls.
  • Consumer Copilot ≠ Microsoft 365 Copilot: The free "Microsoft Copilot" (consumer version) lacks enterprise protections. Ensure users access Copilot through Microsoft 365 apps (Word, Outlook, Teams) with organisational accounts, not personal Microsoft accounts.

10 Disclaimer

This overview is intended solely as an informative tool. We strongly advise customers to thoroughly review all Data Processing Agreements (DPAs) and privacy documentation before deploying Microsoft 365 Copilot in production environments - especially when processing personal data, special category data, or protected health information. WAIMAKERS applies this same principle internally; all tools we use have been thoroughly assessed and included in our own privacy and security documentation. Customers should always carefully evaluate the official documentation, terms, and DPAs of each AI provider they use. WAIMAKERS cannot be held legally liable for any mistakes, errors, inaccuracies, or for the accuracy, currency, or completeness of the information in this document; the ultimate responsibility for GDPR compliance rests with the customer.

Prepared and issued by WAIMAKERS B.V. - March 2026.

References

  • Microsoft 365 Copilot - Enterprise Data Protection - https://learn.microsoft.com/en-us/copilot/microsoft-365/enterprise-data-protection
  • Microsoft 365 Copilot - Data Protection Architecture - https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-architecture-data-protection-auditing
  • Microsoft 365 Copilot - Data, Privacy, and Security - https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/data-privacy-security
  • Microsoft 365 Copilot - Privacy and Protections - https://learn.microsoft.com/en-au/copilot/privacy-and-protections
  • Microsoft 365 Copilot - Transparency Note - https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-transparency-note
  • Microsoft Products and Services Data Processing Addendum - https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA
  • Microsoft Trust Center - GDPR Overview - https://www.microsoft.com/en-us/trust-center/privacy/gdpr-overview

Need help navigating AI?

Schedule Free Call
WAIMAKERS

Learn. Lead. Make.

AI Transformation Boutique · Amsterdam

Make work exciting, make businesses unstoppable.

Who We Help

View all roles & industriesCEOs & Board MembersPE & Investment ManagersCFOs & Finance LeadersInnovation DirectorsCTOs & IT LeadersCommercial Directors

What We Do

View all servicesOur ApproachLearnTailored Training ProgrammesAI Champions ProgrammeAgentic Way of WorkingE-learningLeadMake

Company

About UsResourcesContactCareersPodcast ↗

© 2026 WAIMAKERS. All rights reserved.

Privacy PolicyCookie Policy