An email lands in your support inbox. Can you please delete my video testimonial from your website and any ads you're running with it. I'm exercising my right to erasure under GDPR.

What do you do?

If you've collected video testimonials for any length of time, this email is coming. Sometimes the person changed jobs and doesn't want to be seen endorsing their old vendor. Sometimes it's a family issue, a privacy concern, a career pivot. Sometimes it's just that three years later they don't want a stranger scrolling past their face on a landing page. The reason rarely matters. The obligation does.

Under GDPR's right to erasure (Article 17), your response is on a clock. You have thirty days to act, unambiguous requirements about what action means in practice, and a narrow handful of grounds on which you can legitimately refuse. Get any of those wrong and the request becomes a complaint, and the complaint becomes an investigation.

This piece covers what right to erasure actually requires, when it applies to video testimonials (it's not a universal override), the thirty-day clock and what you must do within it, a step-by-step response workflow, the technical side of what "delete" actually means for a video, a template reply you can adapt, and how GetPureProof handles the mechanics.

Not legal advice. Everything below is educational. If you receive an actual erasure request and you're unsure, talk to a lawyer. The templates and workflow are starting points, not finished legal protocol.

What GDPR right to erasure actually requires

Article 17 of the GDPR grants individuals the right to have their personal data erased. It applies when one of six grounds is met — the most common for testimonial scenarios being: the data is no longer necessary for the purpose it was collected for, consent has been withdrawn and there's no other legal basis, or processing was unlawful in the first place.

Video testimonials involve personal data by default. A video showing someone's face and voice, paired with their name and often their job title, is personal data in the clearest possible sense. Some legal interpretations classify voice and facial data as biometric data, which carries stricter obligations — but you don't need to reach that debate to know your testimonials fall under GDPR.

When someone asks you to erase their testimonial, you generally need to comply. You have a right to verify the request is genuine, and a narrow set of grounds on which you can refuse. But the default answer is: yes, within thirty days.

When it applies to video testimonials (and when it doesn't)

Right to erasure isn't absolute. There are specific cases where you can legitimately refuse, and it's worth knowing them so you don't either refuse when you shouldn't (triggering a complaint) or delete when you could have reasonably declined (losing testimonials unnecessarily).

When you generally must comply:

• The person withdraws their consent to being used, and consent was the legal basis for the processing — which for marketing testimonials, it almost always is.
• The data is no longer necessary for the purpose it was collected for, for example a campaign that ended two years ago.
• The processing is or was unlawful — you didn't have proper consent in the first place.

When you might be able to refuse, in whole or in part:

• You have another legal basis for continued processing, which is rare for testimonials because consent is almost always the only basis.
• The processing is necessary for compliance with a legal obligation.
• Freedom of expression and information grounds apply — narrow, and interpretation varies. A testimonial used in journalism or public commentary might fall here. A marketing testimonial on a landing page almost certainly does not.

In almost any marketing testimonial scenario, the answer is: you comply. The rare cases where you might defensibly refuse should be run past a lawyer first, not decided by you alone in the heat of responding to an angry email.

The 30-day clock: what the law requires

Once you receive a valid erasure request, you have one month to respond. That month includes:

• Acknowledging that you received the request and will action it. A reasonable acknowledgment within a few business days is good practice.
• Completing the erasure itself, including removing the content from all channels you directly control.
• Notifying any third parties who received the data from you — for example, if you shared the video with a paid ad platform or a reseller partner, you need to ensure it's removed there too.
• Confirming completion in writing back to the requester.

You can extend the response period by up to two additional months for complex requests, but you must tell the requester within the original thirty days that you're extending and why. "We're busy" is not a valid reason. "This is a cross-platform erasure involving paid ads across multiple channels that requires coordinated removal" might be.

If you're going to refuse the request, you must also do that within thirty days, and you must explain why in a way that references the specific ground on which you're refusing. A vague "we don't think we have to" is not adequate.

Your step-by-step response workflow

When an erasure request lands, run this sequence.

Verify the requester

Confirm the person sending the request is actually the person in the video. This is usually straightforward — check the email against the record you captured at consent, or ask for confirmation of something only the subject would know. You're not allowed to make verification unnecessarily burdensome, but a reasonable identity check is permitted under GDPR.

Remove from owned channels immediately

Within your direct control, remove the video from:

• Your website and landing pages
• Your testimonial widgets and walls of love
• Any embedded versions on sales or investor materials
• Your email templates and automated sequences (future sends — past sends can't be un-sent)
• Your social media accounts where the video was uploaded

This is the biggest chunk of the work and it should happen fast. "Fast" doesn't have a legal definition in Article 17, but same-day to 72 hours is the reasonable standard for owned channels where removal is a few clicks.

Stop any active paid distribution

If the video is running in a paid ad, pause the ad. If it's in a pitch deck your sales team is actively using, pull the slide. If it's in a sales enablement library your team is pulling from, remove it from the library and communicate to the team. Stopping further distribution is as important as removing what's already out there.

Chase cached and third-party copies

This is where erasure gets hard, and where being transparent with the requester matters. Cached copies (search engine caches, CDN caches, browser caches) typically expire within days to weeks — you can't usually force the issue, though most major search engines offer cache removal tools if needed. Reshared content on third-party platforms is outside your direct control; the law doesn't expect you to chase down every re-upload, but it does expect you to request removal from any platform you knowingly shared the content with.

Document what you did and send confirmation

Log what you deleted, when you deleted it, and from where. Note any third parties you contacted and their response. Send the requester a confirmation email that names the specific actions taken. If anything couldn't be removed (third-party caches, reshares you don't control), say so honestly and explain what you did about it. Transparency beats pretending the internet is tidier than it is.

The technical side: what "remove" actually means for video

Deleting a video testimonial is not the same as deleting a row in a database. A video testimonial exists in multiple places simultaneously:

• The video file itself, sitting in object storage.
• The database record linking that file to a testimonial, author, consent record, and metadata.
• The thumbnail or poster image generated from the video.
• The cached copies served from CDN edge nodes around the world.
• The widget embedding that references the testimonial on your marketing site.
• Potentially downloaded copies on your team's drives, in Slack threads, or embedded in presentation decks.

A proper erasure removes the first three (file, database record, thumbnail), stops the fifth (the widget stops rendering the testimonial because it's no longer in the database), and invalidates the fourth over time as cache TTLs expire. The sixth — local copies your team downloaded — is an internal process, not a technical operation on your testimonial platform.

GetPureProof does the first three as a single atomic operation: delete the testimonial in the dashboard, and the same action removes the video file and thumbnail from object storage, removes the database row, and revalidates the widget. The widget immediately stops including the testimonial — because there's no testimonial to render. No lingering file, no orphaned data, no zombie references.

Template response to an erasure request

A reasonable first response, sent within a few business days of receiving the request:

Subject: Your erasure request — confirmation and next steps

Hi [Name],

Thanks for your message. I'm confirming that we've received your
request to erase the video testimonial you provided to [Company
Name], and we'll be actioning it under GDPR Article 17.

Here's what will happen:

1. Within the next [X business days], we'll remove the video
   from our website, any testimonial widgets it appears in, our
   email templates, and our social media channels.

2. We'll pause any paid advertising that contains the video.

3. We'll delete the video file and thumbnail from our storage
   and remove the associated record from our database.

4. If we've shared the video with any third parties, we'll
   request its removal from them as well.

5. Once complete — within 30 days of your original request —
   I'll send you a confirmation email listing the specific
   actions taken.

Please note that we cannot control copies that third parties may
have saved or reshared, and cached copies in search engines and
CDNs may take a short time to fully expire. We'll let you know
if any specific channel presents a challenge.

Before we proceed, can you confirm that the request is coming
from the email address you originally submitted the testimonial
with, or provide another form of identity verification?

Best,
[Your Name]
[Company Name]

And the closing email when erasure is complete:

Subject: Your erasure request — completed

Hi [Name],

I'm writing to confirm that we've completed the erasure of your
video testimonial as requested.

Specific actions taken:
- Removed the video from [website URL and specific pages]
- Removed the video from [email templates / automation sequences]
- Paused [list of paid ads] that contained the video
- Deleted the video file and associated data from our storage
- [If applicable: Requested removal from third parties: list]

As discussed, cached copies in search engines and CDNs may take
up to [timeframe] to fully expire. If you notice any remaining
copies after that period, please let us know and we'll follow up.

If you have any further questions, please get in touch.

Best,
[Your Name]
[Company Name]

Adapt the specifics to your situation but keep the structure: acknowledge, act, confirm.

How GetPureProof handles this

The mechanical side of erasure is where most teams struggle — what do we actually click, and does that actually delete everything? GetPureProof is built so that removing a testimonial is one action, not five:

• One click in your dashboard removes the testimonial. Under the hood, that action deletes the video file from object storage, deletes the thumbnail, and removes the database record in a single atomic operation.
• Widgets update automatically. There's no separate step to remove the testimonial from your Wall of Love or carousel. The widget renders only testimonials that exist in your database; delete the record, and the widget stops including it on the next load.
• Bulk operations are available. If you receive multiple erasure requests or need to cascade a deletion, you can act on several testimonials at once.
• Account-level deletion cascades through every Space you own, removing every testimonial and every associated file in storage. This matters less for individual erasure requests but a lot for closing an account or winding down a project.

What the platform doesn't automate for you: pausing paid ads that embed the video, notifying third parties you shared the content with, or cleaning up local copies on your team's drives. Those are workflow tasks, not platform tasks, and they require you to run the response workflow above.

For more on how GetPureProof handles the rest of the compliance surface, see the features page or the guide on video consent forms and templates — a clean consent record makes the erasure process faster because you can point to exactly what was agreed to and when. For the broader GDPR picture around testimonial workflows, the complete video testimonial GDPR guide ties consent, processing, transfer, and erasure into a single framework.

Bottom line

Right to erasure isn't optional. When someone asks, the default answer is yes, and the clock starts the moment their email arrives.

Thirty days. Specific actions. Confirmation in writing. A template to adapt, a workflow to follow, and a platform that either makes the technical side trivial or makes it a Friday-afternoon fire drill depending on how it was built.

If you run testimonials on your site, decide now what your erasure response looks like. Not when the first email arrives — now. Because the first email will arrive, and having an answer ready is the difference between a clean thirty-day response and a panicked weekend.