You need to confirm that Microsoft Copilot complies with GDPR Article 28 requirements for your organization. The Data Processing Addendum is a legal document that defines how Microsoft processes personal data when you use Copilot services. This walkthrough explains the key sections of the DPA, the steps to accept it in the Microsoft 365 admin center, and the specific data protection terms that apply to Copilot features. You will learn where to find the DPA and what obligations Microsoft accepts as a data processor.
Key Takeaways: Microsoft Copilot GDPR DPA Walkthrough
- Microsoft 365 admin center > Settings > Org settings > Privacy > Data Processing Addendum: Location where you can view and accept the current DPA for Copilot services.
- GDPR Article 28 clauses: Define Microsoft as a data processor, including sub-processor lists, data location, data deletion, and audit rights.
- Copilot-specific data processing: Microsoft processes prompts, responses, and usage data for service delivery, but does not use this data for model training unless you opt in to the Customer Feedback program.
What the GDPR Article 28 Data Processing Addendum Covers for Copilot
The DPA is a legally binding agreement between your organization as a data controller and Microsoft as a data processor. It covers all Microsoft 365 services including Copilot. The DPA defines the scope of data processing, the types of personal data, and the duration of processing. For Copilot, the DPA specifically addresses how Microsoft handles your prompts, the context data Copilot retrieves from Microsoft Graph, and the generated responses.
The DPA incorporates the Standard Contractual Clauses for international data transfers when your data is processed outside the European Economic Area. Microsoft publishes the DPA on the Microsoft Trust Center and updates it when new Copilot features change the data processing scope. You must accept the DPA before your organization can use Copilot with enterprise data protection.
Key Clauses in the DPA Relevant to Copilot
Article 28 requires the processor to:
- Process personal data only on documented instructions from the controller. Microsoft states that Copilot processes data only for the purposes specified in your tenant configuration, such as grounding responses on your SharePoint or OneDrive files.
- Ensure personnel involved in processing are bound by confidentiality. Microsoft applies this to all Copilot engineering and support staff.
- Implement appropriate technical and organizational measures. For Copilot, this includes encryption in transit and at rest, access controls via Azure AD, and data isolation between tenants.
- Assist the controller with data subject requests. Microsoft provides tools for you to export or delete Copilot interaction data.
- Delete or return personal data at the end of the service. The DPA specifies that Copilot data is deleted within 90 days of contract termination.
- Notify the controller of personal data breaches. Microsoft has a 72-hour notification policy for breaches affecting Copilot services.
Steps to Access and Accept the Copilot DPA in the Microsoft 365 Admin Center
You must be a Global Administrator or Billing Administrator to view and accept the DPA. The DPA is a tenant-wide setting. Once accepted, it applies to all users in your organization.
- Sign in to the Microsoft 365 admin center
Go to admin.microsoft.com and sign in with your administrator account. Navigate to Settings then Org settings. - Open the Privacy tab
In the Org settings page, select the Privacy tab. You will see the Data Processing Addendum option. - Review the current DPA version
Click Data Processing Addendum. The page displays the current version number, the effective date, and a link to the full document. Microsoft updates the DPA when Copilot features change data processing. Check the version date to confirm you are reviewing the latest terms. - Read the Copilot-specific appendix
The DPA includes an appendix that lists all Microsoft services covered. Look for Microsoft Copilot for Microsoft 365 in this list. The appendix specifies the data categories, processing purposes, and sub-processors for Copilot. - Accept the DPA
If you agree with the terms, click Accept. A confirmation dialog appears. Click Confirm to finalize. The status changes to Accepted. You can download a PDF copy of the accepted DPA for your records. - Verify acceptance across all tenants
If your organization uses multiple Microsoft 365 tenants, repeat the process for each tenant. The DPA acceptance does not sync between tenants.
Common Questions About the Copilot DPA
Does the DPA Cover All Copilot Versions?
The DPA covers Copilot for Microsoft 365, Copilot in Bing for enterprise users, and Copilot in Windows with enterprise accounts. The free Copilot consumer version is not covered by the enterprise DPA. Consumer Copilot data processing follows the Microsoft Services Agreement and Privacy Statement, not the DPA.
What Happens If I Do Not Accept the DPA?
If you do not accept the DPA, your organization cannot use Copilot with enterprise data protection. Users may still access Copilot features, but Microsoft processes the data under the standard terms of service rather than the GDPR-compliant DPA. This may violate your organization’s compliance requirements. The admin center shows a warning banner until you accept the DPA.
Can I Reject the DPA After Accepting It?
You cannot reject the DPA through the admin center. To remove acceptance, you must disable Copilot for your tenant in the Microsoft 365 admin center under Settings > Org settings > Copilot. Disabling Copilot does not reverse the DPA acceptance, but it stops Copilot data processing. Contact Microsoft Support if you need to formally rescind the DPA.
Copilot DPA vs Microsoft Online Services DPA: Key Differences
| Item | Copilot DPA | Microsoft Online Services DPA |
|---|---|---|
| Scope | Covers Copilot for Microsoft 365, Copilot in Bing enterprise, Copilot in Windows enterprise | Covers all Microsoft 365 apps including Exchange, SharePoint, Teams, and Azure AD |
| Data categories | Prompts, responses, context data from Microsoft Graph, usage logs | Emails, documents, chat messages, calendar items, user profiles |
| Sub-processors | Azure infrastructure, OpenAI model hosting (if enabled), Microsoft Graph | Azure infrastructure, third-party services listed in the Sub-processor List |
| Data retention | 90 days after contract termination for Copilot interaction data | 30 days after contract termination for most service data |
| Model training | Customer data is not used for training unless you opt into Customer Feedback | Customer data is not used for training Microsoft AI models |
| Audit rights | Microsoft provides SOC 2 Type II reports and ISO 27001 certification for Copilot services | Same audit reports available for all Microsoft 365 services |
Conclusion
You can now locate and accept the Microsoft Copilot GDPR Article 28 Data Processing Addendum in the Microsoft 365 admin center under Settings > Org settings > Privacy. The DPA defines Microsoft as a data processor for Copilot and includes specific clauses on data deletion, breach notification, and sub-processor disclosure. Review the Copilot-specific appendix to confirm the data categories and processing purposes match your compliance requirements. For ongoing compliance, monitor the Trust Center for DPA updates when Microsoft releases new Copilot features that change data processing scope.