A Data Processing Agreement (DPA) is the legally binding contract governing how cloud providers handle your customer data. Under the General Data Protection Regulation (GDPR), processors must notify you when adding third-party subprocessors who touch your data, giving you time to assess risks and object. Microsoft just shortened that window for AI vendors to 30 days.
What did Microsoft change in its DPA?
On May 22, 2026, Microsoft updated its Products and Services Data Protection Addendum to reduce AI subprocessor notice to 30 days, down from the previous six-month standard. The change applies to anyone using Microsoft 365, Azure, Dynamics 365, or Microsoft Advertising under a volume licensing agreement—basically every enterprise customer.
AI-specific vendors now require only 30 days' notice, and customers retain a right to disable the vendor's access during that period, but the option expires six months after notice is given. Non-AI subprocessors still get the six-month notice period. It's a single paragraph in a 40-page document, buried in legalese most marketing and engineering teams have never read.
Microsoft's AI business reached a $37 billion annual run rate as of April 2026. AI isn't peripheral—it's how Copilot, Azure OpenAI, and Agent Mode actually work. That means the shortened notice period affects the core of what enterprises are buying.
Why does the GDPR care about subprocessors?
Under GDPR Article 28, companies that hand their data to Microsoft remain legally responsible for what happens to that data, even when Microsoft passes it to one of its subprocessors. If Microsoft brings in a new AI vendor with access to customer data and that vendor mishandles it, the enterprise customer can be held accountable too, not only Microsoft.
You're the data controller. Microsoft is the processor. The AI model provider—say, Anthropic or a safety evaluation tool—is the subprocessor. If Microsoft wants to bring in a new subprocessor with access to customer data, it has to tell customers in advance, giving them time to assess whether the new vendor meets their data protection standards—and, if not, to object or exit the contract.
Violations aren't theoretical. Article 83(4) sets fines up to €10M or 2% of global annual turnover for Article 28 violations, per the GDPR. The CNIL has fined organisations for missing DPAs with cloud providers, and for sub-processor chains that were unauthorised.
How does 30 days compress your compliance workflow?
Diagram illustrating Microsoft Azure AI subprocessor notification timeline
Microsoft sends a subprocessor notice. Your procurement, legal, privacy, and security teams now have 30 days to:
- Monitor the notice — Does anyone in your org actively watch Microsoft's subprocessor list?
- Assess the vendor — Does this AI subprocessor process data in a jurisdiction your DPIAs permit? Does it meet your security baseline?
- Update documentation — Does the Records of Processing Activities (ROPA) entry reflect the new data flow? Does the vendor risk file need updating?
- Decide and act — Can you disable the functionality? Do you need to object? Who owns that call when the AI feature is already embedded in a business-critical tool?
None of those questions is new. What the addendum change does is compress the time available to answer them.
Most enterprises don't have real-time vendor monitoring. The DPA was signed during procurement, the privacy@ inbox was set up, and the subprocessor chain was assumed to be handled. The legal framework assumes controllers actively manage these notifications. Almost none do, according to analysis from compliance engineers.
Why did Microsoft make this change?
AI infrastructure changes faster than traditional software. Model providers release new versions. Safety evaluation tools get replaced. Agentic features—AI systems that can take actions on a user's behalf—enter processing chains on timelines that a six-month notification cycle cannot accommodate.
Microsoft isn't alone. OpenAI's DPA also uses 30-day notice periods for subprocessor changes under general authorization. The SaaS industry standard is converging around 30 days for routine updates, with 10–15 days for objections.
But "industry standard" doesn't mean GDPR-compliant. Where a processor engages another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations must be imposed on that other processor. Where that other processor fails to fulfil its data protection obligations, the initial processor shall remain fully liable to the controller, under Article 28(4).
You can't outsource liability. Microsoft remains responsible for its subprocessors' compliance. You remain responsible for Microsoft's.
What should you do if you use Azure or Microsoft 365?
Subscribe to notifications. Microsoft publishes updates to its Online Services Subprocessor List with at least six months' notice for most vendors, but AI subprocessors now fall under the 30-day track. Set up email alerts; don't rely on manual checks.
Map your AI surface area. Where are you using Copilot, Azure OpenAI, Dynamics 365 AI features, or Microsoft Advertising's targeting tools? If the answer is "everywhere," you need a process to flag when a new AI subprocessor might touch regulated data (health, financial, EU resident PII).
Pre-authorize or pre-reject jurisdictions. If your DPIAs already prohibit certain transfer destinations, document that in your vendor risk playbook. When Microsoft adds a subprocessor in a restricted region, you know immediately whether you can object.
Test your objection workflow. You have 30 days. Can your team actually complete a vendor assessment, update the ROPA, notify stakeholders, and decide whether to disable functionality in that window? If not, the right to object is theoretical.
Link DPA compliance to your launch checklist. Subprocessor governance isn't a one-time procurement task—it's an operational obligation that runs for the life of the contract. If you're shipping features that use Microsoft AI services, make sure someone owns the inbox that receives those 30-day notices.
Frequently Asked Questions
What is a subprocessor under GDPR?
A subprocessor is a third-party vendor hired by your processor (e.g., Microsoft) to handle specific parts of data processing on your behalf. Under Article 28, processors must get your written authorization before engaging subprocessors, and you retain the right to object.
Does the 30-day notice apply to all Microsoft subprocessors?
No. The 30-day period applies specifically to AI-related subprocessors. Traditional infrastructure and service subprocessors still receive six months' advance notice under Microsoft's updated DPA.
What happens if I object to a new AI subprocessor?
Microsoft must either find an alternative solution, allow you to disable the affected functionality, or permit you to terminate the affected service without penalty. You typically have 30 days to object after receiving notice.
Can I be fined if Microsoft's subprocessor violates GDPR?
Yes. As the data controller, you remain legally liable for GDPR compliance even when processing is outsourced. Article 83(4) allows fines up to €10 million or 2% of global annual turnover for Article 28 violations, and regulators can pursue both you and Microsoft.
How do I monitor Microsoft's subprocessor changes?
Microsoft maintains a public subprocessor list and offers email notification subscriptions. You can also scan your site to identify which Microsoft services you're using and map data flows to ensure your compliance documentation stays current.
Are other cloud providers making similar DPA changes?
Yes. OpenAI, Anthropic (when acting as a Microsoft subprocessor), and many enterprise SaaS platforms use 30-day notice periods under "general authorization" models. The AI industry is moving faster than traditional six-month SLA cycles, and DPAs are adjusting accordingly.