AJ Bell Securities Limited · DRN-5972730

The complaint Mr B complains AJ Bell Securities Limited (‘AJ Bell’) retained his personal data for longer than it should have. What happened Mr B transacted some business with AJ Bell in about 2014 and had no further dealings with it until he received an email from AJ Bell in 2025. Mr B received the email on 19 March 2025. It concerned an update to AJ Bell’s terms and conditions. Later that day AJ Bell emailed Mr B again saying the email hadn’t been meant for him and had been sent by mistake. AJ Bell apologised and said this didn’t mean Mr B’s account had been reactivated. On 6 April 2025 Mr B replied by email. He said that because he hadn’t had any dealings with AJ Bell for many years it had no legitimate interest in retaining his data. He asked AJ Bell why he shouldn’t complain to the Information Commissioner’s Office (ICO) about a breach of data protection regulations. In reply AJ Bell explained why the email had mistakenly been sent. It also said the following: ‘Please be assured all data matters are taken seriously and with priority. This error has been managed within the context of GDPR and actions will be implemented to prevent recurrence. l have also been assured that you will not receive any further communications from us. ln terms of the data we hold, l am happy to have these erased for you, please respond to this email confirming this if you wish to.’ Mr B raised a complaint. He said he wasn’t complaining about the email because he could ‘quickly delete’ it and so it ‘didn’t bother’ him. But he said AJ Bell ought to have deleted his data years ago. He asked whether AJ Bell did not have a compliance officer to ensure that happened. AJ Bell said it was required to retain client information for a minimum of six years following the closure of an account and after that clients could request erasure of their data and AJ Bell would remove any client data it was no longer legally obligated to retain. It asked Mr B what he thought would be a suitable resolution to his complaint. In response Mr B said he wasn’t happy that AJ Bell appeared to put the onus on customers to have their data removed when he thought AJ Bell should already have removed his data. He said AJ Bell should have a data controller and a data retention policy. And he said if he could apply for direct redress for AJ Bell having breached its obligations then he would, but he thought his only option was to seek indirect redress by reporting the event to the ICO. AJ Bell said it didn’t place the onus on customers to request erasure and it mentioned that as an option only. It apologised if it hadn’t been clear and said it handled data according to its data retention policy and this incident had been managed in line with that. It offered Mr B £25 to resolve his complaint.

-- 1 of 4 --

Mr B didn’t respond to the offer. So on 24 April 2025 AJ Bell replied formally to his complaint. In summary it said the following: • AJ Bell apologised again for the email it shouldn’t have sent him and was investigating the root cause. • AJ Bell retained personal data only as long as reasonably necessary to fulfill the purposes for which it collected the data. Those purposes might include satisfying AJ Bell’s legal, regulatory, tax, accounting or reporting requirements. How long AJ Bell kept the data would depend on the purpose for which it collected it. • AJ Bell would ‘process a right to erasure’ if Mr B confirmed he wanted that. • Mr B could use links now provided to see more about AJ Bell’s privacy policy and the website of the ICO. • AJ Bell apologised again for the email and asked Mr B to let it know if he wanted to accept the offer of £25. In reply Mr B said he wanted clarification on two points before he made a decision. He wanted to know whether AJ Bell put the onus on customers to have their data deleted or whether AJ Bell had any obligation to remove data in the absence of a request. And he said that in his own case he couldn’t see any grounds for AJ Bell having retained his data longer than six years, but AJ Bell hadn’t addressed the issue in the context of Mr B’s circumstances. AJ Bell escalated Mr B’s complaint to a more senior staff member and wrote again. It said its privacy policy said the following: ‘In certain circumstances, you can request that we delete your personal information. If you make a request for deletion, we will consider whether we can comply with your request or if there is a reason why we need to keep processing your personal information which overrides your request.’ It said it kept personal information only as long as reasonably necessary from a regulatory perspective and it had complied with its privacy policy in this instance. Mr B continued to be dissatisfied because he wanted to know whether AJ Bell was legally required to have deleted his data or whether the onus was on him to request that. And he wanted to know why AJ Bell still had his data. Mr B referred his complaint to this service. He said wasn’t sure whether his complaint was something this service could look at. He said if AJ Bell had admitted at the outset that it ought not to have retained his data for so long he would’ve accepted that. But AJ Bell had continued to say it hadn’t done anything wrong by holding his data for about 11 years. One of our Investigators looked into Mr B’s complaint. In summary he said that in some circumstances a business could have reason to keep customer data for many years and so the investigator couldn’t conclude AJ Bell had failed to act appropriately by keeping Mr B’s data for as long as it did. Mr B disagreed. Because no agreement could be reached, the complaint was passed to me to review afresh and make a decision.

-- 2 of 4 --

I issued a provisional decision in which I said I couldn’t see that AJ Bell had a fair and reasonable basis for retaining Mr B’s data as long as it did, but I didn’t think that had caused Mr B any detriment, so I didn’t intend to uphold the complaint. AJ Bell didn’t respond to my provisional decision. Mr B accepted the decision. He agreed AJ Bell hadn’t caused him any detriment by retaining his data and he was pleased that I’d provisionally found that AJ Bell hadn’t shown it had acted fairly and reasonably by retaining his data for as long as it did. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. Having done so, I’m not upholding the complaint. I’ll explain why. The purpose of this decision is to set out my findings on what’s fair and reasonable, and explain my reasons for reaching those findings, not to offer a point-by-point response to every submission made by the parties to the complaint. And so, while I’ve considered all the submissions by both parties, I’ve focussed here on the points I believe to be key to my decision on what’s fair and reasonable in the circumstances. It’s not the role of this service to decide whether or not a business has breached data protection laws or to punish a business for any breaches – that’s the role of the ICO. This service can look at whether a business has treated a customer fairly and reasonably, including in the way it’s applied those regulations in the course of its business. In deciding that, we base our decisions on what’s fair and reasonable in all circumstances, which may differ from a strict legal interpretation of data protection regulations. Our aim is to put right any detriment the customer has suffered as a result of any unfair treatment by the business. In this case, Mr B was understandably surprised to receive the email AJ Bell sent him. Not only was the email not relevant to him, but he says he hadn’t been a customer of AJ Bell for many years, at least not actively. His responses to AJ Bell indicated that he expected his data would’ve been deleted six years after he finished transacting with AJ Bell. Six years is a significant timeframe for data retention in many cases because it’s the limitation period for bringing certain types of claims. But in fact there’s no single fixed rule that governs how long AJ Bell ought to retain Mr B’s data. For a financial services provider the provisions for retention of personal data are derived from multiple sources. Several of those specify minimum retention periods, but businesses may choose to extend those periods for various reasons. So AJ Bell might have had legitimate reasons to retain Mr B’s data for as long as it did. And so by keeping the data for that long, AJ Bell hasn’t necessarily treated him unfairly. However, the fact that a business could have a legitimate reason is not the same as the business having demonstrated that it did have a legitimate reason in this particular case. As it happens, the responses I’ve seen from AJ Bell haven’t persuaded me that, in the particular circumstances of this case, it did have a reasonable basis to retain Mr B’s data so long after it did business with him. That’s because AJ Bell has simply named some of the purposes for which it may retain data in general. It hasn’t said which of those purposes it has actually relied on in this particular case. So although it could have a legitimate reason for retaining Mr B’s data, AJ Bell hasn’t shown that it did have a legitimate reason. And although AJ Bell said Mr B could request erasure of his data if he thought it shouldn’t be retained, I think AJ Bell still had an obligation to delete data it no longer needed, even if the customer didn’t request that. I’m satisfied it’s fair to expect AJ Bell to act on that obligation.

-- 3 of 4 --

However, having said all of that, even if I thought on balance that AJ Bell didn’t have a fair and reasonable basis to have held Mr B’s data for as long as it did, I’d only uphold Mr B’s complaint if – as a result of AJ Bell’s deficiency – he’d suffered some impact that needed to be put right. Aside from having received the erroneous email which he said he ‘didn’t mind’ and for which AJ Bell offered £25 compensation, I can’t see that Mr B has been affected by AJ Bell’s retention of his data in a way that I can put right. If AJ Bell passively held Mr B’s data longer than it should’ve, that doesn’t, by itself, create detriment for which Mr B ought to be compensated. In response to my provisional decision Mr B agreed he hadn’t suffered detriment of the type that this service could remedy. I noted in my provisional decision that Mr B could’ve invoked the right to erasure which AJ Bell explicitly offered to him. He said that wouldn’t have resolved his concern which was that AJ Bell had simply retained his data longer than he believed it ought to have done. As I’ve said – and as Mr B has acknowledged – this service can’t provide a determination on whether AJ Bell has acted within the law by retaining his data, or whether AJ Bell has in place and is abiding by appropriate data management policies. Nor can I hold AJ Bell to account for how it’s managed Mr B’s information or customer data more generally. The retention of his data might create risks for Mr B. But I can’t award compensation for something that might happen but hasn’t happened. In conclusion, given that when Mr B raised his complaint the only impact on him had been an email which he said he didn’t mind, I don’t have a basis to require AJ Bell to take any action, even if it lacks a legitimate reason for retaining his data. So I don’t have a basis to uphold the complaint. I’m glad Mr B understands why I’ve made this decision. My final decision For the reasons I’ve set out above, my final decision is that I don’t uphold this complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr B to accept or reject my decision before 28 April 2026. Lucinda Puls Ombudsman

-- 4 of 4 --