Microsoft Copilot services process data that may contain personal information of Brazilian individuals, making compliance with the Lei Geral de Proteção de Dados Pessoais a shared obligation. Microsoft provides contractual and technical safeguards, but customers control what data is uploaded, how it is classified, and which users can access Copilot features. This article explains the specific responsibilities that fall on the customer under the LGPD when using Copilot for Microsoft 365, including data classification, consent management, and incident response planning.
Key Takeaways: Customer LGPD Obligations for Copilot in Brazil
- Data classification labels in Microsoft Purview: Apply sensitivity labels to documents and emails before Copilot processes them to enforce LGPD retention and access rules.
- Copilot data source controls in Microsoft 365 admin center: Restrict which SharePoint sites, OneDrive folders, and Exchange mailboxes Copilot can index for grounded responses.
- Consent management via Azure AD Conditional Access: Block Copilot access for users who have not accepted an LGPD-compliant data processing consent statement.
Why LGPD Compliance Is a Shared Responsibility for Copilot
The LGPD defines a data controller as the entity that decides why and how personal data is processed, and a data processor as the entity that processes data on behalf of the controller. Microsoft is the processor. The customer is the controller. This distinction means Microsoft is not responsible for the legality of the processing purposes set by the customer.
When a user types a prompt into Copilot in Word, the prompt and any data that Copilot retrieves from Microsoft Graph are processed on Microsoft servers. The customer decides which documents are indexed, which user accounts have licenses, and which data sources are connected. If a prompt causes Copilot to process personal data without a legal basis under the LGPD, the customer bears the liability.
Microsoft has published the Product Terms and the Data Protection Addendum, which state that the customer retains ownership of all customer data. Microsoft does not use customer data to train its foundation models. However, the customer must ensure that data uploaded to Microsoft 365 services, including Copilot, has a valid LGPD legal basis such as consent, legitimate interest, or contract performance.
Key LGPD Requirements That Apply to Copilot Use
Article 6 of the LGPD requires data processing to be purpose-specific, adequate, and necessary. Article 7 lists legal bases, including consent and legitimate interest. Article 18 gives data subjects the right to access, correct, and delete their data. Article 46 requires security measures. Copilot does not automatically satisfy these requirements. The customer must configure the environment so that Copilot processes data only for permitted purposes.
Customer Steps to Align Copilot with LGPD Obligations
The following steps cover the main configuration areas where the customer must act to meet LGPD requirements. Each step assumes the customer has a Microsoft 365 E3 or E5 license with Copilot for Microsoft 365 add-on and access to the Microsoft 365 admin center and Microsoft Purview portal.
- Classify all personal data with Microsoft Purview sensitivity labels
Create sensitivity labels for categories such as “LGPD Personal Data” and “LGPD Sensitive Personal Data.” Apply these labels automatically using auto-labeling policies for documents and emails that contain CPF numbers, health data, or biometric data. Copilot respects sensitivity labels and will not include labeled content in its responses unless the user has explicit access rights. - Restrict Copilot data sources in the Microsoft 365 admin center
Go to Settings > Org settings > Copilot for Microsoft 365. Under “Data sources,” select specific SharePoint sites and OneDrive folders that contain LGPD-compliant data. Remove any site that stores personal data without a legal basis. This prevents Copilot from retrieving data from unapproved repositories. - Configure Azure AD Conditional Access policies for Copilot
Create a Conditional Access policy that blocks access to Copilot for Microsoft 365 unless the user has accepted a consent statement. Use the “Terms of use” feature in Azure AD to present an LGPD consent document. Require multi-factor authentication for all Copilot access to meet the security requirement in Article 46. - Implement data subject request workflows in Microsoft Purview
Use the Microsoft Purview compliance portal to create data subject request templates. When a Brazilian user requests access to or deletion of their personal data processed by Copilot, use the Content Search and eDiscovery tools to locate the data across Exchange, SharePoint, and OneDrive. Copilot does not store prompts separately, but the underlying documents are subject to DSRs. - Audit Copilot interactions with Microsoft 365 Audit Log
Enable audit logging in the Microsoft 365 admin center. Search the audit log for events such as “Copilot interaction” and “Copilot grounded response.” Review these logs regularly to detect unauthorized processing of personal data. Retain logs for at least six months to comply with LGPD record-keeping requirements. - Define a data retention policy for Copilot-related content
Apply retention labels to documents and emails that Copilot indexes. Set deletion periods that match the LGPD principle of data minimization. For example, delete HR records containing personal data five years after the employee leaves the company. Copilot cannot retain data beyond the retention policy applied to the source content.
If Copilot Processes Data Without a Legal Basis
Copilot returns personal data of a customer’s client without consent
This happens when a user prompts Copilot to summarize a support ticket that contains a client’s CPF and address. The customer must have a legitimate interest or consent basis for processing that data. To fix this, apply a sensitivity label to all support tickets that contain personal data and configure auto-labeling to block Copilot from indexing them unless the user has a need-to-know permission. Alternatively, move the data to a SharePoint site that is excluded from Copilot data sources.
Copilot retains personal data longer than allowed by LGPD
Copilot does not store prompts or responses outside of the source documents. However, if the source documents are retained indefinitely, Copilot can retrieve them at any time. Apply a retention policy in Microsoft Purview that deletes documents containing personal data after the period defined in the customer’s LGPD data retention schedule. Use the “Data Lifecycle Management” feature to enforce automatic deletion.
A data subject requests deletion of data processed by Copilot
The customer must locate the data across all Microsoft 365 services. Use Content Search in the Microsoft Purview portal with a query that matches the data subject’s name or identifier. Export the results, verify that no other legal hold applies, and use the “Delete” action in the compliance portal. Copilot does not have a separate deletion mechanism; deleting the source document removes the data from Copilot’s reach.
Copilot Customer Responsibilities vs Microsoft Responsibilities for LGPD
| Item | Customer Responsibility | Microsoft Responsibility |
|---|---|---|
| Legal basis for processing | Define and document consent, legitimate interest, or contract performance for each data set | Provide contractual terms that designate Microsoft as processor |
| Data classification | Apply sensitivity labels and retention policies to personal data | Enforce labels and policies in Copilot responses |
| Consent management | Present consent statements and enforce acceptance via Conditional Access | Provide the Terms of Use feature in Azure AD |
| Data subject requests | Locate, export, and delete personal data using Purview tools | Provide Content Search and eDiscovery capabilities |
| Security measures | Enable MFA, restrict admin roles, and audit Copilot access | Maintain SOC 2 and ISO 27001 certifications for infrastructure |
| Incident response | Notify ANPD within 72 hours of a data breach involving Copilot | Notify customer of any breach within 72 hours |
The table clarifies that the customer controls the legal and operational aspects of LGPD compliance. Microsoft provides the technical platform and contractual safeguards, but the customer must configure them correctly.
Your organization can now use Copilot for Microsoft 365 in Brazil while meeting LGPD obligations by classifying data, restricting sources, managing consent, and handling data subject requests through Microsoft Purview. Next, review the Microsoft Product Terms for the most current data processing terms. For advanced protection, enable Customer Lockbox in the Microsoft 365 admin center to require explicit approval before Microsoft engineers access your data.