How to collect testimonials in a GDPR-compliant way

Why testimonials are personal data

Under the GDPR, personal data is any information relating to an identified or identifiable person. A customer testimonial usually contains several pieces of personal data at once: the person's full name, their job title, the company they work for, sometimes a photo, and the opinion they expressed. A photo in particular can be considered sensitive in some contexts.

Because of this, publishing a testimonial is a form of processing personal data. You need a lawful basis for it, you need to be transparent about it, and you need to be able to honour the rights of the person who provided it.

The cleanest lawful basis for publishing a testimonial is usually consent. Ask the customer explicitly, before you publish, whether they agree to their name, role, company and quote being displayed publicly on your website and marketing materials.

Good consent is specific, informed and freely given. Tell the person exactly what will be shown, where it will appear, and that they can withdraw their consent at any time. Keep a record of when and how consent was obtained. Avoid scraping reviews from other platforms and republishing them as testimonials without permission.

The GDPR restricts transfers of personal data outside the European Economic Area. If your testimonial tool stores data on servers in the United States or other third countries, you may need additional safeguards and you should document them. This area has been shaped by significant case law, including the ruling commonly known as Schrems II.

The simplest way to reduce this risk is to choose a provider that keeps the data inside the EU. EU hosting removes the transfer question entirely and is often easier to defend to a Data Protection Officer or a regulator.

People who give a testimonial keep their rights over that data. They can ask to see it, correct it, or have it deleted. The right to erasure (sometimes called the right to be forgotten) means that if a customer asks you to remove their testimonial, you must be able to do so promptly and completely.

In practice this means your tooling should let you delete a testimonial in one action, including any cached or displayed copies, and that the deletion actually removes the underlying data rather than just hiding it.

When you use a third-party tool to collect and display testimonials, that tool acts as a data processor on your behalf. Article 28 of the GDPR requires a data processing agreement (DPA) between you, the controller, and the processor.

The DPA sets out what the processor may do with the data, the security measures in place, the use of any sub-processors, and what happens in the event of a data breach. Before you adopt a testimonial tool, make sure a DPA is available and that your DPO is comfortable with its terms.

A short checklist

• Collect explicit, specific consent before publishing any testimonial.
• Record when and how consent was obtained.
• Tell the person what will be displayed and where.
• Make it easy to withdraw consent and to delete the testimonial on request.
• Prefer a provider that hosts personal data inside the EEA.
• Have a signed Article 28 DPA on file with your processor.
• Apply data minimisation: do not collect more than you need.

How ProofEU helps

ProofEU was built around these requirements rather than retrofitting them. Data is hosted in Dublin, Ireland, with no transfer outside the EEA. Every plan includes a pre-filled Article 28 DPA, so your DPO has the document they need from day one. Testimonials are collected through a consent-aware form, and you can delete any testimonial in a single action to satisfy an erasure request.

You can read the full detail on our GDPR compliance page and compare plans on the pricing page.