Microsoft 365 and GDPR: What German Companies Need to Know in 2026
Short answer
Microsoft 365 can be used GDPR-compliantly in Germany when the EU Data Boundary is enabled, a Data Processing Agreement is signed, and a DPIA is conducted where required — the 2025 LfD Niedersachsen ruling confirmed this pathway for private-sector companies, while public sector use remains more complex.
- Sign and verify scope of the Microsoft Data Processing Agreement under GDPR Article 28 for all M365 services in use.
- Enable the EU Data Boundary to keep Exchange, SharePoint, and Teams customer content in EU/EFTA regions — and verify what telemetry data still transfers.
- Negotiate a Betriebsvereinbarung with the works council before deploying Teams monitoring, Viva Insights, or productivity analytics features.
Microsoft 365 can be used GDPR-compliantly in Germany — but compliance is not automatic. It requires the EU Data Boundary enabled for your tenant, a signed and verified Data Processing Agreement, a Data Protection Impact Assessment where required, and a Betriebsvereinbarung before deploying any employee monitoring features. The 2025 ruling by the LfD Niedersachsen marked a turning point for private-sector companies, confirming a legal pathway through careful configuration. For an overview of other enterprise tools assessed by our team, see AI tools reviewed by Compound Law.
Can German Companies Use Microsoft 365 Under GDPR?
Yes — with the right setup. Microsoft 365 is GDPR-compliant for German private-sector companies when four conditions are met:
- The Microsoft Data Processing Agreement is signed. This establishes Microsoft as an Article 28 GDPR processor and sets out obligations covering subprocessors, security, breach notification, and data deletion.
- The EU Data Boundary is enabled. Core customer content — Exchange emails, SharePoint files, Teams messages — must be stored and processed within EU/EFTA territory.
- A valid legal basis exists under Article 6 GDPR for each processing purpose. For most corporate use cases, Article 6(1)(b) (contract performance) or Article 6(1)(f) (legitimate interests) applies.
- A DPIA is conducted where large-scale processing of personal data — including employee data via Teams monitoring or Viva Insights — is involved.
Public sector use is more complex. Schools, authorities, and public bodies in several German Bundesländer face additional restrictions and should consult their Bundesland’s data protection authority before deploying.
The German DSK Scrutiny: What Happened and Where It Stands
The compliance debate around Microsoft 365 in Germany dates back to 2021, when the Kultusministerkonferenz (KMK) school debate put M365’s data transfers under intense scrutiny following the Schrems II ruling.
The Datenschutzkonferenz (DSK) — the joint conference of German federal and state data protection authorities — published guidance in 2021 and 2022 expressing fundamental concerns. At the core was the question of whether Microsoft’s Standard Contractual Clauses (SCCs) were sufficient to justify transfers of diagnostic and telemetry data to the United States under post-Schrems II standards. The DSK’s position created significant legal uncertainty for German businesses deploying M365, with some DPAs advising against use for schools and government bodies.
The 2025 turning point: In early 2025, the Landesbeauftragte für den Datenschutz Niedersachsen (LfD Niedersachsen) — the Lower Saxony data protection authority — published a positive assessment of Microsoft 365 for private-sector use. The assessment concluded that, with the EU Data Boundary properly configured and the updated DPA in place, M365 satisfies GDPR requirements for commercial organisations. This represented the first clear green light from a German DPA for private-sector M365 deployment.
Private sector vs. public sector divide: The LfD Niedersachsen assessment applies to private companies. Public sector organisations — particularly schools and government agencies — remain subject to stricter scrutiny in several Bundesländer. Baden-Württemberg, Bavaria, and other Länder education ministries have issued guidance that restricts or conditions M365 use for schools. Public sector AI compliance sets out the broader regulatory framework for public bodies.
Microsoft’s EU Data Boundary: What It Actually Means
The EU Data Boundary is Microsoft’s architectural commitment to store and process core customer data within EU and EFTA countries. It launched on January 1, 2023, and completed its full rollout across all Microsoft 365 services by end of 2024.
What stays in the EU under the EU Data Boundary:
| Data category | EU Data Boundary scope | Notes |
|---|---|---|
| Exchange Online (email content) | Yes — stored and processed in EU | Includes email body, attachments |
| SharePoint Online (files) | Yes — stored and processed in EU | Includes OneDrive for Business |
| Microsoft Teams (chats, files) | Yes — stored and processed in EU | Chat content, meeting recordings |
| Account data | Yes | Tenant admin and user account information |
| System-generated logs | Yes | Audit logs, sign-in logs |
What may still transfer outside the EU:
- Diagnostic and telemetry data — Microsoft collects limited service diagnostic data that may be processed outside the EU boundary. Microsoft states this is pseudonymised and limited in scope, but legal teams should review Microsoft’s current telemetry documentation and reflect this in any DPIA.
- Customer support interactions — If you contact Microsoft support, support engineers outside the EU may access your data subject to role-based access controls.
- Third-party connectors and integrations — Data flowing through third-party apps connected to M365 is governed by those providers’ terms, not Microsoft’s EU Data Boundary.
How to verify EU Data Boundary is enabled: In the Microsoft 365 Admin Center, navigate to Settings → Org Settings → Security & Privacy → Data Residency. Your tenant’s region and EU Data Boundary status should be confirmed here. If your organisation was provisioned before January 2023, verify that migration to the EU Data Boundary is complete.
The 2025 DPA Update: Key Improvements
Microsoft updated its Online Services Terms and Data Protection Addendum in 2025, introducing several material changes relevant to German companies:
- EU-US Data Privacy Framework integration. Following the EU Commission adequacy decision of July 2023, Microsoft’s updated DPA incorporates the DPF as a transfer mechanism for residual data flows involving the US, supplementing SCCs.
- EU Data Act alignment. The updated DPA includes provisions addressing cloud switching rights and data portability obligations under the EU Data Act, which entered into force in September 2025.
- EFTA countries added. Norway, Iceland, and Liechtenstein are now explicitly included in the EU Data Boundary and DPA geographic scope, relevant for DACH companies with operations in these countries.
- Enhanced subprocessor management. Microsoft added 30-day advance notice of subprocessor changes (previously 6 months for removals only), with a documented right to object.
German legal teams should verify that the updated DPA terms are accepted under their Microsoft Enterprise Agreement or Microsoft Customer Agreement, as automatic acceptance may depend on subscription type.
DPIA Requirements
A Data Protection Impact Assessment (DPIA) under Article 35 GDPR is required when processing is likely to result in a high risk to individuals. For Microsoft 365, the following scenarios typically trigger a mandatory DPIA:
- Systematic monitoring of employees via Teams call analytics, Viva Insights productivity metrics, or presence tracking.
- Large-scale processing of sensitive data — health records, legal matter content, or financial data processed in M365 at significant volume.
- Organisations with 250+ employees using M365 for primary email and collaboration infrastructure.
The DSK recommends a DPIA for M365 as a precautionary measure even where Article 35’s mandatory threshold is not technically met, given the volume of personal data processed and the complexity of data flows involved.
What German DPAs expect in a DPIA for M365:
- Scope and purpose definition — Map all M365 services in use and document their processing purposes.
- Data flow analysis — Identify where personal data goes, including telemetry and support scenarios.
- Necessity and proportionality — Assess whether M365 features are limited to what is necessary.
- Risk assessment — Evaluate risks to employee and user data, especially from monitoring features.
- Mitigation measures — Document EU Data Boundary configuration, DPA terms, admin controls used to limit data processing.
- Residual risk sign-off — DPO sign-off (or equivalent review) on acceptable residual risk before deployment.
Works Council (Betriebsrat) Obligations
For German companies, deploying Microsoft 365 features that affect employees requires works council involvement under the Betriebsverfassungsgesetz (BetrVG). This is not optional — failure to involve the works council before implementing employee-monitoring features can result in an injunction.
M365 features that trigger §87(1) No. 6 BetrVG:
- Microsoft Teams — call duration logs, meeting attendance, presence and availability tracking
- Viva Insights — individual and team productivity analytics, meeting effectiveness data, focus time metrics
- Exchange Online mail tracking — read receipt policies, delivery confirmation analytics at individual level
- Microsoft Purview compliance features — employee communication monitoring, content search across mailboxes
What to cover in a Betriebsvereinbarung:
- Permitted and prohibited M365 features for employee monitoring
- Which data categories are collected and for what purposes
- Individual vs. aggregated reporting (Viva Insights individual data is particularly sensitive)
- Data retention periods for Teams call logs and audit logs
- Employee rights to access and correct their data
- Admin access controls: who can view employee-level data
For the broader legal framework governing AI and digital workplace monitoring in Germany, see AI employee monitoring compliance. For Teams-specific AI features including meeting transcription and call analysis by Copilot, see Microsoft Teams Copilot compliance.
§26 BDSG applies to employee data. When M365 processes personal data relating to employees — productivity data, email metadata, HR workflows — the Bundesdatenschutzgesetz (BDSG) §26 applies alongside GDPR, requiring a specific legal basis and limiting permissible purposes to employment relationship management.
Our Assessment
For private-sector companies in Germany, Microsoft 365 can be deployed GDPR-compliantly with proper configuration. The 2025 LfD Niedersachsen assessment removes the significant legal uncertainty that existed since 2021. The checklist is not short — DPA verification, EU Data Boundary activation, DPIA, Betriebsvereinbarung — but each step is achievable.
For public sector organisations and schools, the picture is more complex. Several Bundesländer data protection authorities continue to raise concerns or impose conditions for public bodies. Check your Bundesland’s DPA guidance before deploying M365 in schools, public authorities, or government-adjacent organisations.
Practical steps to make Microsoft 365 GDPR-compliant:
- Accept and verify scope of the Microsoft Data Processing Agreement
- Enable the EU Data Boundary for your tenant and confirm migration is complete
- Audit enabled M365 services and disable features not in use
- Conduct a DPIA covering all active M365 services
- Review and limit diagnostic data collection in admin settings
- Engage the works council and negotiate a Betriebsvereinbarung for employee-facing features
- Document legal basis for each processing purpose in your ROPA
- Review the subprocessor list and confirm transfer mechanisms are current
- Establish a process for reviewing Microsoft’s annual DPA updates
Note on Microsoft 365 Copilot: This guide covers Microsoft 365 core services — Exchange, SharePoint, Teams. The AI-powered Copilot layer introduces additional considerations covered separately. See the Microsoft 365 Copilot compliance guide for Copilot-specific GDPR and AI Act obligations.
How Compound Law Helps
- DPA review and gap analysis — verifying the Microsoft DPA covers your specific services, subscription tier, and data categories
- EU Data Boundary configuration review — confirming your tenant’s data residency settings are correctly implemented and documented
- DPIA scoping and execution — assessing scope, conducting the DPIA, and producing documentation German DPAs expect
- Works council strategy — drafting Betriebsvereinbarungen for M365 and supporting co-determination consultations
- Public sector M365 assessment — evaluating your Bundesland’s regulatory position and advising on the right deployment approach
FAQ
Is Microsoft 365 GDPR compliant?
Microsoft 365 can be used GDPR-compliantly in Germany when the EU Data Boundary is enabled, the Microsoft Data Processing Agreement is signed, a valid legal basis exists under Article 6 GDPR, and a DPIA is conducted where required. The 2025 LfD Niedersachsen assessment confirmed this pathway for private-sector organisations. Compliance is not automatic — it depends on your configuration and contractual setup.
Does Microsoft provide a Data Processing Agreement (DPA) for Microsoft 365?
Yes. Microsoft provides a Data Processing Agreement through its Online Services Terms and Data Protection Addendum. It covers Article 28 GDPR processor obligations including subprocessors, security measures, breach notification, audit rights, and data deletion. Enterprise customers should verify that their specific M365 services and subscription tier are covered.
Can German schools use Microsoft 365?
This remains contested. Private-sector companies may use M365 with proper configuration following the 2025 LfD Niedersachsen ruling. Schools and public authorities face stricter scrutiny — several German Länder education authorities have issued guidance restricting or conditioning M365 use for schools. Public sector organisations should consult their Bundesland’s data protection authority before deploying.
What is the EU Data Boundary?
The EU Data Boundary is Microsoft’s commitment to store and process core customer data — including Exchange email content, SharePoint files, and Teams chats — within EU and EFTA countries. It launched on January 1, 2023, and completed its rollout by end of 2024. Tenants must verify it is enabled. Limited diagnostic telemetry data may still transfer outside the EU.
Do I need a DPIA for Microsoft 365?
German data protection authorities recommend conducting a Data Protection Impact Assessment (DPIA) under Article 35 GDPR for Microsoft 365 deployments involving significant employee data processing — particularly where Teams monitoring, Viva Insights, or large-scale email processing are in scope. Even where a full DPIA is not strictly required under Article 35, the DSK guidance recommends it as a precautionary measure.
