Using generative AI in Microsoft 365 is not a risk, it is a matter of consistent GDPR compliance and proper implementation of EU data protection requirements.
Copilot Web Search allows external web information to be integrated contextually into Copilot chats. In Microsoft Teams, features such as transcription, live translation, and meeting recording enable efficient, international, and accessible meetings as well as improved documentation. At the same time, the AI capabilities within Microsoft 365 process personal data, which requires an assessment under the EU General Data Protection Regulation (GDPR). Contrary to some claims, the use of these features can be GDPR-compliant. As with the deployment of Microsoft 365 and Microsoft Copilot more generally, compliance depends on a structured legal assessment and the proper implementation of applicable data protection requirements.
Copilot Web Search: Permissible with a Legitimate Interest Assessment
The use of Copilot Web Search is optional. When enabled, Copilot can access information from the Internet to provide more accurate responses. Copilot evaluates the user’s prompt and determines whether external web information may be helpful. It then generates a shortened search query and sends it to the Bing search service. From a data protection perspective, this process is relevant only if the shortened search query exceptionally contains personal data. The Bing search service is operated by Microsoft under its own independent controller responsibility.
In most cases, the legal basis for transferring data to Microsoft is the legitimate interest of the controller (Art. 6(1)(f) GDPR). This requires a documented balancing test between the controller’s interests and the rights and freedoms of the data subjects concerned. Due to the limited scope of data transmitted and clear purpose limitation, the resulting risk for data subjects will often be considered low.
Typical legitimate interests supporting the use of Copilot Web Search include:
- Improving efficiency in research and decision-making processes
- Enhancing the quality and accuracy of information
- Reducing risks associated with uncontrolled use of “shadow AI” tools.
Because Bing is a global service, the EU Data Boundary does not apply to search queries. As a result, transfers of personal data to third countries, including the United States, cannot be entirely excluded. Such transfers are currently based on the EU-US Data Privacy Framework. Alternatively, organizations may rely on Standard Contractual Clauses (SCCs) as an appropriate safeguard for international data transfers.
Microsoft Teams: Lawful Use of Transcription, Translation, and Recording
Transcriptions, live translations, and recordings in Microsoft Teams typically involve the processing of personal data. In employment contexts, relying on consent is often not considered a robust legal basis due to the imbalance between employer and employee. Therefore, organizations typically rely on legitimate interests (Art. 6(1)(f) GDPR).
To rely on this legal basis, three conditions must be met:
- The existence of a legitimate interest of the controller or a third party (e.g., ensuring traceability of decision-making processes)
- The necessity of the processing to pursue that interest (for example, assessing whether manual note-taking would constitute a less intrusive alternative)
- A balancing test with the interests, fundamental rights, and freedoms of the data subjects involved (e.g., where particularly sensitive discussion topics are involved)
Article 9 GDPR, which regulates the processing of special categories of personal data, will generally not apply in this context. Microsoft Teams does not process participants’ voices for biometric identification but solely for content processing, such as transcription or translation.
Organizations must nevertheless comply with transparency obligations under Art. 13 GDPR and ensure that data subject rights, including the right of access and the right to object, can be exercised effectively. They must also implement appropriate data retention and deletion policies to ensure GDPR-compliant data lifecycle management. In addition to data protection law, organizations must also consider applicable national criminal laws. For example, under Section 201 of the German Criminal Code (StGB), recording non-public speech without authorization may constitute a criminal offense. Companies should therefore carefully assess the legal basis for recording meetings.
Conclusion
The use of AI features in Microsoft 365 is primarily a matter of governance. Organizations that clearly define the applicable legal bases, document legitimate interest assessments, ensure transparency, and implement the necessary technical and organizational measures can realize efficiency gains while effectively managing data protection risks.
More detailed information on data protection and digital sovereignty in Microsoft 365 can be found in Kommunikation & Recht, issue 12/2025, p. 755 ff. (available here as a free full-text publication in German).
back