Microsoft 365 Copilot GDPR Compliance in Germany — 2026 Update

Last updated: April 2026. This page supersedes our January 2026 version to reflect three significant compliance developments: Anthropic’s addition as a Microsoft 365 Copilot subprocessor (January 7, 2026), the DSK’s published criticism of Microsoft’s Data Processing Agreement, and the established DPIA requirement for large-scale Copilot deployments under Art. 35 GDPR.

Can Microsoft 365 Copilot Be Deployed in Germany?

Microsoft 365 Copilot can be deployed in Germany, but doing so lawfully in 2026 requires completing a GDPR-compliant DPA review, conducting a Data Protection Impact Assessment (DPIA) under Art. 35 GDPR, and carefully addressing the DSK’s published concerns about Microsoft’s standard data processing terms. The EU Data Boundary feature keeps most data within the EU, but German data protection authorities have raised specific compliance concerns that cannot be resolved by technical configuration alone.

German companies evaluating or already running Copilot should treat this as an active, ongoing compliance project — not a one-time vendor checkbox. Three developments make this especially urgent in 2026: a new AI subprocessor added to the data flow, formal DPA criticism from Germany’s supervisory authority conference, and a DPIA requirement that most large deployments now trigger.

What Changed in 2026: Anthropic as Subprocessor and DSK’s DPA Criticism

Two developments since our January 2026 page materially change the compliance picture for German companies:

1. Anthropic became a Microsoft 365 Copilot subprocessor on January 7, 2026. Microsoft updated its published subprocessor list to add Anthropic AI (UK) Limited as a subprocessor for Microsoft 365 Copilot. This means some Copilot processing — specifically AI inference for certain Copilot features — may route through Anthropic’s infrastructure. For German companies with existing DPIAs or deployment decisions made before this date, this change requires reassessment. You must ensure your DPA chain with Microsoft covers downstream Anthropic processing, and your DPIA must reflect this additional subprocessor relationship.

2. The DSK (Datenschutzkonferenz) — the joint body of Germany’s federal and state data protection authorities — has published a position that Microsoft’s standard DPA does not adequately meet GDPR requirements. The DSK’s criticism centers on insufficient transparency around subprocessors, inadequate contractual guarantees for personal data processed by AI services, and concerns about data transfers to the United States even within the EU Data Boundary framework. While the DSK position does not constitute a formal ban, it signals that German supervisory authorities are actively scrutinizing Microsoft 365 Copilot deployments. This creates real enforcement risk for companies that proceed on the basis of Microsoft’s standard terms without additional legal analysis.

These two developments together mean that a Microsoft 365 Copilot deployment assessment completed before early 2026 is likely incomplete.

Microsoft’s DPA: What German Companies Must Review

Microsoft provides a Data Processing Agreement (DPA) as part of its Microsoft Product Terms and Online Services Data Protection Addendum. For GDPR compliance, the key sections are the controller/processor relationship definition, the subprocessor authorization mechanism, and the EU Standard Contractual Clauses (SCCs) incorporated by reference.

EU Data Boundary: What It Covers and What It Doesn’t

The EU Data Boundary (EUDB) is Microsoft’s commitment to store and process EU commercial customer data — including Microsoft 365 Copilot data — within the European Union. For tenants where EUDB is enabled:

• Prompts and responses from Copilot are processed and stored in EU datacenters
• Microsoft 365 content accessed by Copilot (emails, documents, Teams chats) remains in-region
• Diagnostic data for service improvement is minimized and kept within EU boundaries

However, EUDB does not resolve all GDPR concerns:

• Subprocessor transfers: Third-party subprocessors (including Anthropic AI (UK) Limited, as of January 7, 2026) may process data in their own jurisdictions. These transfers are governed by SCCs but require specific due diligence.
• Transfer impact assessment: The Schrems II ruling requires a Transfer Impact Assessment (TIA) for any transfer to a third country. Post-Brexit, transfers to UK-based entities such as Anthropic require their own TIA — the UK adequacy decision is in place but subject to periodic review.
• FISA 702 concern: German and EU data protection authorities continue to flag US intelligence law (particularly FISA Section 702) as a structural risk for data processed by US-headquartered companies. Microsoft Ireland Operations Limited serves as the EU data controller and EU representative, but parent-company jurisdiction concerns remain.

DSK Position: Where Microsoft’s DPA Falls Short

The DSK’s published position identifies specific gaps in Microsoft’s standard contractual terms for AI services:

• Subprocessor transparency: The DSK considers Microsoft’s subprocessor list notification mechanism (email update with a 30-day objection window) insufficient for meaningful controller control over AI subprocessors.
• Purpose limitation: The DSK raises questions about whether Microsoft’s legitimate interests in improving its AI services conflict with the purpose limitation principle under GDPR Art. 5(1)(b), particularly for Copilot usage data.
• Legal basis for telemetry: Certain diagnostic and telemetry data collection associated with Copilot may lack a clearly documented legal basis under German law.

German companies should treat the DSK position as a material compliance signal requiring legal review — not a concern to note and file away. If your data protection officer has not reviewed the current Microsoft DPA against the DSK’s specific objections, that review should happen before or alongside your DPIA.

See also our Azure OpenAI GDPR and DPA guide for Microsoft’s broader cloud compliance posture, and GitHub Copilot GDPR compliance for the developer-specific deployment considerations.

DPIA Requirement for Microsoft 365 Copilot (Art. 35 GDPR)

A Data Protection Impact Assessment (DPIA) under Article 35 GDPR is mandatory where processing is “likely to result in a high risk to the rights and freedoms of natural persons.” For Microsoft 365 Copilot, a DPIA is required in most German enterprise deployments.

When a DPIA Is Mandatory

The following factors, present in most Copilot rollouts, trigger DPIA obligations under Art. 35 GDPR:

• Systematic and large-scale processing of personal data: Copilot accesses emails, meeting recordings, documents, and chat messages at scale — this is systematic processing of significant volumes of personal data about identifiable individuals.
• Processing of employee data with behavioral profiling potential: Copilot generates summaries, drafts communications, and surfaces patterns across individual employees’ Microsoft 365 activity. German DPAs classify profiling-adjacent processing of employee data as inherently high-risk.
• New technology: Art. 35(1) GDPR explicitly flags processing using new technologies as a DPIA trigger. AI-assisted processing of workplace communications qualifies.
• Monitoring of employees: Copilot Analytics and Microsoft Viva Insights features provide management with aggregate and individual insights into employee productivity and communication patterns — a monitoring use case under German law.

German companies deploying Copilot beyond a small pilot (generally: more than 50 employees with active Copilot licenses across more than one business unit) should treat a DPIA as mandatory, not discretionary.

How to Structure a Copilot DPIA

A GDPR-compliant DPIA for Microsoft 365 Copilot should document:

1. Processing description: What personal data Copilot accesses (emails, documents, Teams messages, calendar data), the categories of data subjects (employees, customers, business partners whose data is in Microsoft 365), and the scope of deployment.
2. Necessity and proportionality assessment: Why Copilot processing is necessary for the stated business purpose, and why less privacy-invasive alternatives were considered and rejected.
3. Risk assessment: Risks including unauthorized data exposure (Copilot surfacing over-shared content to users who should not have access), inference risks (AI-generated profiles of individual employee performance), and transfer risks (subprocessor chain including Anthropic from January 2026).
4. Mitigation measures: Technical and organizational measures including Microsoft Purview sensitivity labels, admin-controlled feature restrictions, Works Council agreement terms, and user training programs.
5. Subprocessor review: Explicit documentation of the Anthropic AI (UK) Limited subprocessor relationship established January 7, 2026, including transfer basis (SCCs or UK adequacy decision) and Transfer Impact Assessment.
6. Consultation record: If the DPIA concludes that residual high risks remain after mitigation, Art. 36 GDPR requires prior consultation with the supervisory authority (the relevant German state DPA) before deployment proceeds.

Data Flows: What Copilot Sends Where

Understanding Copilot’s data flows is essential for your DPIA and your DPA review.

Microsoft First-Party Data Flows

When a user submits a prompt to Microsoft 365 Copilot:

1. The prompt is transmitted to Microsoft’s Azure OpenAI Service infrastructure (EU-based for EUDB-enabled tenants)
2. Microsoft 365 Graph retrieves relevant content from the user’s mailbox, files, and calendar to provide grounding context (Retrieval Augmented Generation)
3. The contextualized prompt is processed by the language model
4. The response is returned and displayed within the relevant Office application
5. Prompt and response data is stored according to your tenant’s Microsoft 365 data retention policies

Enterprise Data Protection (EDP) terms cover prompts and responses under the same contractual framework as standard Microsoft 365 data — the same terms governing your email and SharePoint content. Copilot data is not used to train Microsoft’s foundational AI models.

Anthropic Subprocessor Flows (from January 7, 2026)

As of January 7, 2026, Anthropic AI (UK) Limited appears on Microsoft’s published subprocessor list for Microsoft 365 Copilot. This means certain Copilot AI inference tasks may be processed by Anthropic’s systems rather than Microsoft’s Azure OpenAI infrastructure exclusively.

Key compliance implications:

• Data transfer basis: Anthropic is a UK-based entity. Post-Brexit, UK transfers from the EU require either the EU-UK adequacy decision (currently in place, subject to review) or SCCs. Verify the current transfer basis in Microsoft’s DPA addendum.
• Your DPIA must reflect this: If your DPIA was completed before January 7, 2026, it does not cover the Anthropic subprocessor relationship. Update your DPIA to include this relationship.
• Inform your Works Council: If your Betriebsvereinbarung for Copilot describes data flows or lists subprocessors, it may need to be amended to reflect the new subprocessor.

For a comparison of how Anthropic handles data processing for enterprise customers directly, see our Claude Enterprise GDPR guide.

Steps to Deploy Microsoft 365 Copilot Lawfully in Germany

Follow these steps before or during a Copilot rollout in a German enterprise:

1. Review the current Microsoft DPA against the DSK’s published objections. Engage your Data Protection Officer and, if the gap analysis reveals material issues, external counsel.
2. Enable EU Data Boundary for your Microsoft 365 tenant if not already active. Verify in the Microsoft 365 Admin Center that EUDB is configured and confirm data residency for your tenant region.
3. Conduct or update your DPIA before expanding beyond a limited pilot. The DPIA must document the Anthropic subprocessor relationship established January 7, 2026, and include a Transfer Impact Assessment for that relationship.
4. Engage your Works Council (Betriebsrat) under §87 BetrVG before rollout. Copilot’s access to employee communications and its productivity analytics features require works council co-determination rights. Negotiate a Betriebsvereinbarung that defines permitted use cases, data retention rules, and employee rights to information and objection.
5. Configure Copilot Admin Controls: Use the Microsoft 365 Admin Center to restrict Copilot features not covered by your DPIA or Betriebsvereinbarung. Microsoft Purview sensitivity labels can prevent Copilot from accessing labeled confidential or restricted content.
6. Document your legal basis per use case: Copilot processing of employee data typically relies on legitimate interests (Art. 6(1)(f) GDPR) subject to a balancing test, or performance of the employment contract (Art. 6(1)(b) GDPR). Do not rely on employee consent for standard workplace deployments — consent is not freely given in the employment context under German law.
7. Monitor the DSK’s position: The DSK’s published concerns may evolve into enforcement guidance or formal decisions. Subscribe to updates from your relevant state data protection authority (Landesbeauftragter für Datenschutz).

See also: Microsoft Teams Copilot compliance guide for Teams-specific data flow and co-determination considerations.

Compliance Checklist (2026)

Use this checklist when auditing an existing Copilot deployment or planning a new one:

• EU Data Boundary enabled and verified in Microsoft 365 Admin Center
• Current Microsoft DPA reviewed against DSK’s published position (post-January 2026)
• DPIA completed and updated to include Anthropic AI (UK) Limited subprocessor (added January 7, 2026)
• Transfer Impact Assessment (TIA) completed for Anthropic subprocessor relationship
• Works Council (Betriebsrat) consultation completed; Betriebsvereinbarung in place before rollout
• Legal basis documented per use case; no blanket consent relied upon for employee data
• Microsoft Purview sensitivity labels configured to control Copilot data access scope
• Admin-controlled feature restrictions applied for analytics/monitoring features not covered by DPIA
• Data subject rights procedures updated to cover Copilot-generated content and summaries
• Incident response and breach notification procedures updated for Copilot-specific scenarios

Frequently Asked Questions

Is Microsoft 365 Copilot GDPR compliant?

Microsoft 365 Copilot provides the contractual and technical infrastructure for GDPR-compliant deployment — including a DPA, EU Data Boundary, and Microsoft Purview — but GDPR compliance is not automatic. German companies deploying Copilot must complete their own DPIA, review the DPA against the DSK’s specific concerns, engage the Works Council, and document their legal basis per use case. The DSK has published that Microsoft’s standard DPA does not fully meet GDPR requirements. This requires active legal analysis rather than reliance on Microsoft’s ISO certifications alone.

What does the DSK say about Microsoft Copilot?

The Datenschutzkonferenz (DSK) — the joint body of Germany’s federal and state data protection supervisory authorities — has published a position that Microsoft’s standard Data Processing Agreement for AI services, including Microsoft 365 Copilot, does not fully meet GDPR requirements. Specific concerns include insufficient subprocessor transparency, purpose limitation questions regarding AI feature improvement, and unresolved concerns about US intelligence law exposure. This is not a deployment ban but is a significant compliance signal that requires individual legal assessment for each organization.

Do I need a DPIA for Microsoft 365 Copilot?

Yes, in most German enterprise deployments. A DPIA under Art. 35 GDPR is required because Copilot involves large-scale systematic processing of employee personal data — including emails, documents, and communications — using AI technology, with profiling-adjacent analytics features. This combination meets the DPIA trigger criteria under both Art. 35 GDPR and the German DPA list of processing activities requiring mandatory DPIA. Any DPIA completed before January 7, 2026, must be updated to reflect the Anthropic subprocessor addition.

Is Anthropic a subprocessor for Microsoft 365 Copilot?

Yes. As of January 7, 2026, Anthropic AI (UK) Limited appears on Microsoft’s published subprocessor list for Microsoft 365 Copilot. This means some Copilot AI inference may route through Anthropic’s infrastructure. German companies must reflect this in their DPIA, verify the transfer basis for UK-based Anthropic processing, and update their Betriebsvereinbarung if it describes data flows or subprocessors.

What legal basis applies for Copilot processing of employee data in Germany?

For standard workplace productivity use cases, the most defensible legal bases under German law are legitimate interests (Art. 6(1)(f) GDPR) — subject to a documented balancing test — or performance of the employment contract (Art. 6(1)(b) GDPR) where Copilot directly supports the employee’s contractual duties. Consent (Art. 6(1)(a) GDPR) is generally inappropriate in employment contexts under German law due to the structural power imbalance between employer and employee. Document your chosen legal basis per use case, particularly for Copilot Analytics and monitoring-adjacent features.

---

Deploying Microsoft 365 Copilot in Germany and need legal support? Contact Compound Law for a compliance assessment covering DPIA, Works Council negotiation, and DPA review.