GitHub Copilot GDPR: DPA, IP & German Compliance Guide
Short answer
GitHub Copilot includes a Data Processing Agreement through Microsoft's standard DPA. For GDPR-compliant use in Germany, you need GitHub Copilot for Business or Enterprise with EU data residency enabled and a signed Data Processing Agreement before any personal data is processed.
- Use Copilot Business or Enterprise — Individual plans have no DPA and must not be used for business code.
- Sign the GitHub Data Processing Agreement and confirm it covers your specific plan before processing any personal data.
- Enable EU data residency for Enterprise to keep inference and data processing within Microsoft Azure EU regions.
- Engage the Betriebsrat under §87(1) No. 6 BetrVG before rollout if developer activity or performance metrics could be monitored.
GitHub Copilot includes a Data Processing Agreement through Microsoft’s standard DPA — but for GDPR-compliant use in Germany, you need GitHub Copilot for Business or Enterprise with EU data residency enabled and a signed Data Processing Agreement before any personal data enters the system. Engineering managers, procurement teams, and legal counsel evaluating Copilot for enterprise deployment in Germany must address five areas: the DPA structure, EU data residency options, GDPR compliance, German law obligations under BetrVG, and IP ownership under Urheberrecht. For a broader overview of AI tools assessed for German enterprise use, see the AI tools guide.
Does GitHub Copilot Have a Data Processing Agreement?
Yes — GitHub Copilot includes a Data Processing Agreement (DPA) for Business and Enterprise subscribers. The GitHub DPA is provided as part of the GitHub Customer Agreement and establishes Microsoft/GitHub as an Article 28 GDPR processor. Without a signed DPA, there is no legal basis to transfer personal data — including code containing employee identifiers or customer data — to GitHub’s infrastructure.
How to access the GitHub DPA:
- Review the GitHub Data Protection Agreement, published in the GitHub Customer Agreement and Privacy documentation. Enterprise Agreement customers should confirm that GitHub Copilot is explicitly in scope — coverage can vary by agreement version and subscription tier.
- Verify your plan is covered. Copilot Individual subscribers are not protected by the DPA and cannot use the service for business code processing.
- For organisations requiring a separately countersigned DPA, contact GitHub Enterprise sales. Large deployments often negotiate supplemental data protection terms.
Key elements of the GitHub DPA:
- Article 28 processor obligations — GitHub commits to process personal data only on your documented instructions.
- Subprocessors — GitHub publishes its subprocessor list, including Microsoft Azure infrastructure. Enterprise customers can object to new additions.
- Training data exclusion — The DPA contractually confirms that Business and Enterprise customer code is not used to train models.
- Data retention — Prompts and suggestions are transient; the DPA specifies retention periods and deletion commitments.
- Security measures — Technical and organisational measures are described in the GitHub Security Addendum.
- Breach notification — GitHub commits to notify customers without undue delay of any security incident affecting their data.
- Audit rights — Customers may commission third-party audits of GitHub’s compliance, subject to reasonable terms.
Is code personal data? Code itself is generally not personal data. However, code containing developer comments with employee names, customer identifiers, API keys, or email addresses may include personal data. Your organisation should establish what developers may include in Copilot prompts and reflect this in a Betriebsvereinbarung or internal usage policy.
For a broader understanding of how Article 28 GDPR applies to AI tool procurement, see the data processing agreement guide.
GitHub Copilot EU Data Residency
EU data residency determines where GitHub Copilot processes inference requests and stores associated telemetry. For German companies with strict data sovereignty requirements, regulated sector obligations, or public procurement constraints, understanding Copilot’s data residency options is a prerequisite for deployment approval.
Copilot Enterprise: EU data residency available. GitHub Copilot Enterprise supports EU data residency via Microsoft Azure EU regions, including Frankfurt (Germany West Central) and the Netherlands (West Europe). When EU data residency is enabled, inference requests and associated data processing occur within the EU. This directly addresses DSGVO Art. 28 requirements for companies in financial services, healthcare, and the public sector where data localisation is a hard requirement.
Copilot Business: SCC-backed transfers. Copilot Business does not offer the same configurable EU data residency as Enterprise. Data may be processed on Microsoft Azure infrastructure globally, backed by Standard Contractual Clauses (SCCs) as the transfer mechanism under GDPR Chapter V. For most DACH companies deploying Copilot for standard development productivity, SCC-backed transfers are legally sufficient. Regulated sectors should verify whether explicit EU data residency is required under sector-specific rules.
SOC 2 and ISO certifications. GitHub maintains SOC 2 Type II and ISO 27001 certifications covering its enterprise infrastructure. These certifications are relevant for GDPR Art. 32 assessments of appropriate technical measures and for enterprise procurement requirements. Certification copies are available under NDA from your GitHub Enterprise account team or via GitHub’s Trust Center.
GitHub Copilot and GDPR
GitHub Copilot can be deployed in a GDPR-compliant manner when three conditions are met:
- Copilot Business or Enterprise is selected. These plans include the GitHub DPA, organisation-wide policy controls, and a contractual commitment that customer code is not used for model training. The Individual plan does not include a DPA and must not be used for processing business code.
- The GitHub DPA is signed and confirmed in scope. Without it, there is no legal basis for processing personal data through the tool.
- Data handling is configured correctly. Telemetry settings, snippet retention, and whether code suggestions can be used for model improvement must be reviewed and set for each organisation.
What distinguishes Copilot Business and Enterprise from unmanaged use is the contractual training data commitment. GitHub explicitly states that code submitted by Business and Enterprise customers is not used to train Copilot’s AI models. This is a critical GDPR distinction: processing code for model training without consent would require a legal basis that most enterprises cannot establish.
GitHub Advanced Security and GDPR Compliance
GitHub Advanced Security (GHAS) is an add-on for GitHub Enterprise that provides SAST (static application security testing), secret scanning, dependency review, and licence compliance tooling. For organisations subject to GDPR, GHAS is relevant in two ways: it strengthens the security posture required under Art. 32 GDPR, and it introduces its own data processing considerations that must be covered by the GitHub DPA.
Secret scanning and GDPR. GHAS secret scanning automatically detects API keys, tokens, passwords, and certificates committed to repositories. Under GDPR, authentication tokens may qualify as pseudonymous personal data if they can be linked to individuals. Processing through GHAS is covered by the GitHub DPA. Your internal policy should specify how flagged secrets are handled and who has access to scanning results.
Dependency review and Art. 32 obligations. GHAS dependency review flags known vulnerabilities (CVEs) in open-source dependencies. For companies processing personal data in applications that include Copilot-generated code, maintaining a current dependency inventory supports GDPR Art. 32 obligations around keeping software up to date and preventing exploitation of known vulnerabilities.
SAST and code scanning. Code scanning analyses Copilot-generated and human-written code for security vulnerabilities. For regulated development contexts — financial systems, healthcare, e-commerce platforms handling personal data — automated SAST is a recommended technical measure under GDPR Art. 32 and a control expected by regulators such as BaFin (financial services) and the BSI (IT security baseline).
GitHub Advanced Security for GDPR: Including GHAS in a Copilot Enterprise deployment provides the strongest alignment between AI-assisted development workflows and GDPR Art. 32 technical measures.
GitHub Copilot for Business vs. Enterprise: Privacy and Compliance Features
| Feature | Copilot Business | Copilot Enterprise |
|---|---|---|
| Data Processing Agreement (DPA) | Yes | Yes |
| Training data exclusion | Yes | Yes |
| EU data residency | No (SCC-backed) | Yes (Azure EU regions) |
| IP indemnification | No | Yes |
| GitHub Advanced Security integration | No | Yes |
| Private model fine-tuning | No | Yes |
| SOC 2 Type II / ISO 27001 | Yes | Yes |
| Audit log access | Organisation-level | Enterprise-level, expanded |
| SSO / SAML | Yes | Yes, with enhanced controls |
| Policy management | Organisation | Enterprise |
For most DACH companies deploying Copilot for the first time, Copilot Business provides adequate GDPR compliance with the DPA, training exclusion, and SOC 2 coverage. Copilot Enterprise is recommended when EU data residency is required (regulated sectors, public procurement), when IP indemnification is a contract requirement, or when GitHub Advanced Security is in scope.
For related Microsoft AI tool compliance, see the Microsoft 365 Copilot compliance guide.
German Law Considerations: BetrVG and DSGVO
Deploying GitHub Copilot in a German workplace requires works council engagement before rollout — not as a courtesy, but as a legal obligation in most organisations with more than five employees.
When co-determination rights apply:
- §87(1) No. 6 BetrVG — Technical monitoring of employee behaviour or performance. If Copilot generates usage logs, suggestion acceptance rates, or developer activity reports accessible to management, this provision likely applies. The purpose of deployment does not need to be surveillance — the mere capability to monitor is sufficient to trigger co-determination rights.
- §87(1) No. 13 BetrVG — Changes to work processes and organisation. Copilot materially changes how developers write code. Even if a prior tool was covered by a Betriebsvereinbarung, a new AI coding assistant may require fresh consultation.
Structuring the Betriebsvereinbarung for Copilot:
A Betriebsvereinbarung for GitHub Copilot should cover:
- Approved use cases and code categories where Copilot may be applied.
- What data is transmitted to GitHub (prompts, snippets) and the DPA status.
- Logging configurations and management access levels.
- Developer transparency rights — what is recorded and how long it is retained.
- Whether Copilot usage statistics may feature in performance evaluations.
- A review procedure if vibe coding or AI-generated codebase workflows are adopted.
DSGVO Art. 35 — Data Protection Impact Assessment. Before deployment, assess whether a DPIA is required. For standard developer tool deployments with no special category data, a DPIA is typically not mandatory. A documented risk assessment is nonetheless recommended as evidence of accountability under Art. 5(2) GDPR.
Note on BDSG §26: If employer systems track which Copilot suggestions developers accept or reject, §26 Bundesdatenschutzgesetz (BDSG) applies alongside GDPR, requiring a specific legal basis for processing employee data and limiting permissible purposes to employment relationship management.
IP Ownership and GitHub Copilot Under German Law
Under §7 Urheberrechtsgesetz (UrhG), copyright in Germany vests in the human author of a creative work. There is no mechanism under current German law for AI-generated works to receive copyright protection:
- AI-generated code has no copyright protection under German law. If GitHub Copilot generates a function or module without meaningful human creative input, that code cannot be protected as a copyright work in Germany.
- Your company may still use and exploit the code commercially, but cannot prevent others from generating the same code independently — including if a competitor’s AI tool produces an identical suggestion.
- Microsoft’s IP indemnification (Enterprise tier) covers third-party copyright claims against your company. It does not create copyright protection for AI-generated output that has none under German law.
Practical safeguards:
- Enable the duplicate detection filter to reduce GPL contamination risk.
- Review AI suggestions before accepting, particularly for common utility functions.
- Document your review process as evidence of human creative contribution.
- Establish clear client contract provisions around IP ownership for AI-assisted deliverables.
GitHub Copilot Deployment Checklist for German Companies
Before deploying GitHub Copilot in a German organisation:
- Select the right plan — Copilot Business or Enterprise only. Document that Individual plan use is not permitted for business code.
- Sign and verify the DPA — Confirm the GitHub Data Processing Agreement is active and covers your specific subscription and data categories.
- Configure EU data residency — If required by sector regulation or contract, enable EU data residency (Enterprise only).
- Configure data handling — Disable code use for model improvement; review telemetry settings and retention periods.
- Assess IP implications — Establish an internal policy on AI-generated code review, commit annotation, and client contract provisions.
- Engage the Betriebsrat — Begin works council consultation before rollout; prepare a Betriebsvereinbarung covering §87(1) No. 6 BetrVG.
- Classify AI Act risk — Map each Copilot use case to the EU AI Act risk framework and apply mandatory obligations.
- Train development teams — Communicate what may and may not be included in prompts; document the training as evidence of compliance.
How Compound Law Helps
Compound Law supports German and DACH companies with:
- DPA review and gap analysis — Verifying that the GitHub Data Processing Agreement covers your specific Copilot plan, subprocessors, and data categories.
- EU data residency assessment — Advising on whether EU data residency is legally required for your sector and procurement context.
- IP and Urheberrecht assessment — Analysing AI-generated code ownership under German copyright law and advising on contractual provisions for client deliverables.
- Works council strategy — Drafting Betriebsvereinbarungen and supporting co-determination consultations for AI coding tool deployments.
- AI Act risk classification — Mapping Copilot use cases to EU AI Act risk categories and advising on transparency, documentation, and oversight obligations.
FAQ
Does GitHub Copilot have a Data Processing Agreement (DPA)?
Yes. GitHub provides a Data Processing Agreement for Copilot Business and Enterprise subscribers. The DPA establishes Microsoft/GitHub as an Article 28 GDPR processor and covers subprocessors, data retention, breach notification, and security measures. Individual plan users do not receive a DPA and may not use the service to process business code.
Is GitHub Copilot GDPR compliant?
Yes, GitHub Copilot can be used in a GDPR-compliant way by German companies when Copilot Business or Enterprise is selected, the Microsoft GitHub DPA is signed, and data handling settings are configured to prevent code from being used for training. Individual plans do not include a DPA and are not suitable for business use.
Does GitHub Copilot offer EU data residency?
GitHub Copilot Enterprise supports EU data residency via Microsoft Azure EU regions (Frankfurt, Netherlands). Copilot Business uses SCC-backed transfers across global Azure infrastructure. For regulated sectors or public procurement with mandatory EU data residency requirements, Enterprise is the appropriate tier.
What is the difference between GitHub Copilot Business and Enterprise for GDPR?
Both plans include the GitHub DPA and training data exclusion. Enterprise adds configurable EU data residency, IP indemnification, GitHub Advanced Security integration, and expanded enterprise-level audit log access. Enterprise is recommended for financial services, healthcare, public sector, or any deployment where data sovereignty or IP indemnification is contractually required.
Can I use GitHub Copilot at my German company?
Yes, with the right setup: select Copilot Business or Enterprise, sign the GitHub DPA, configure data handling, assess Betriebsrat obligations under §87 BetrVG, and establish an IP policy for AI-generated code before rollout.
Does GitHub Copilot use my code to train its models?
With Copilot Business and Enterprise, GitHub commits contractually that your code is not used to train Copilot models. Individual plan users do not have this protection. Confirm training data exclusions in the current DPA and GitHub’s privacy documentation before deployment.
Who owns code generated by GitHub Copilot?
GitHub does not claim ownership of suggestions you accept. Under German Urheberrecht (§7 UrhG), AI-generated works have no legal author. Your company may use and exploit the code commercially, but the absence of copyright protection creates IP risk if third parties independently receive identical AI-generated output from the same model.
