[cientifico]

I'm my experience GDPR is relevant.

I need to inform my customers what I do with their personal data. That includes to which companies I share that data with.

Having an excel with customer data is providing that data to Microsoft. So I need, as responsible of the data, to know how they will use it. Any use case that isn't obvious have to be cleared stated in the data privacy agreement. Including moving data outside EU into other countries like America (where US government can request that data without even informing us) or using their data to train AI.

Come'on. If we need to inform that we used chatgpt (just in case they provide PI), why we will not need to inform about Microsoft.

[grabeh]

Key word is "may" be completely irrelevant! Of course, if you're providing an Excel of customer data, it will be relevant if the user is in the EU. But still, consent won't be relevant in that context.

User content may include personal data but may also not...so in some senses, better to include totality of use cases in a non-data protection related document.