In August and September 2025, Microsoft introduced a new M365 kit for data protection and at the same time published the revised version of the Microsoft Products and Services Data Protection Addendum (DPA) (as of September 2025).
New M365 kit: Practical support for GDPR compliance
The M365 kit is now available on the Microsoft Service Trust Portal and is designed to help small and medium-sized businesses in particular to efficiently implement privacy law requirements. The documentation was created in consultation with the data protection supervisory authorities in Bavaria and Hesse.
The kit contains the following documents:
- Cover sheet – overview and introduction
- Record of processing activities with sample entries (Art. 30 GDPR)
- Sample threshold analyses – assistance in deciding on a data protection impact assessment
- Legal basis for typical M365 use cases
- Sample privacy policy as a template for fulfilling information obligations
- Explanations on anonymisation – technical and legal
The M365 kit is considered an important step towards practical applicability. For the first time, it provides official sample documents in coordination with German supervisory authorities – but does not replace an individual legal assessment of a specific case.
Revised Data Protection Addendum (DPA)
According to Microsoft, the new version of the DPA was released in September 2025. The specific provisions should be verified against the published document.
- EU Data Act
With the EU Data Act coming into force on 12 September 2025, businesses and consumers will gain new rights with regard to cloud data and portability.
Read more about this in our blog post: Data Act as a challenge for data protection coming to business in September 2025.
For the first time, provisions from the EU Data Act (Regulation (EU) 2023/2854) are explicitly included in the DPA. Microsoft introduces the term “Exportable Data and Digital Assets (EDDA)” and regulates rights when switching providers.
- Expansion of the EU Data Boundary
The European Free Trade Association (EFTA) has been added to the locations where Microsoft stores and processes customer data and personal data, as well as storing dormant professional services data for EU data boundary services.
- Telecommunications data
Wording has been added to the section on telecommunications data to indicate the customer’s obligation to obtain the end user’s consent.
There are other changes, such as Microsoft’s obligation to digital resilience in the EU, etc., which you can find in the new document.
Conclusion
The new DPA does not result in any fundamental changes for business, but the adjustments offer opportunities to optimise data protection and compliance. The new M365 kit can be a valuable practical aid in this regard.