Financial Ombudsman Service decision

National Westminster Bank Plc · DRN-6132527

Data BreachComplaint not upheld
Get your free legal insight →Email to a colleague
Get your free legal insight on this case →

The verbatim text of this Financial Ombudsman Service decision. Sourced directly from the FOS published decisions register. Consumer names are reduced to initials by FOS at point of publication. Not an AI summary, not a paraphrase — every word below is the original decision.

Full decision

The complaint Mr R is unhappy with the compensation National Westminster Bank Plc paid him after problems with his ‘right to erasure’ data request. What happened Mr R opened a bank account with NatWest on 26 February 2025 that he then closed on 13 March 2025. He had not used it. On 27 May 2025 he asked that NatWest erase his data via email using the form the bank advised him to. He was not making a complaint at this point, but his request was incorrectly logged as such. As he received no response he called a few weeks later. On this call the bank explained why it could not delete his data at this time. NatWest was supposed to confirm this in writing to Mr R. It failed to do this. There was then a further call between the parties on 29 September 2025 (no recording available). Mr R recalls it was suggested that perhaps his data and another accountholders had been mixed up, this created worry over the integrity of his data. A final response letter confirming the bank’s position on data erasure was issued on 15 October 2025. In this it acknowledged it the error in miscategorising Mr R’s initial request and the delays in getting back to him. It sent a cheque for £100 to recognise the overall distress and inconvenience its failings had caused. Mr R came to this service unhappy that his data protection request/complaint took so long and that the bank’s erasure request process was not clear. He seeks compensation of £1,000. Our investigator did not uphold Mr R’s complaint. He found that NatWest had acknowledged its errors in its final response letter and paid compensation in line with what we would award. He said there was no evidence of any data breach. He explained our role versus the role of the Information Commissioner’s Office (ICO) with regards to complaints about data protection. I can see Mr R subsequently contacted the ICO. NatWest then wrote to Mr R setting out a more detailed response to his points. Whilst it seems Mr R was satisfied with this communication, he asked for an ombudsman’s review as he still feels he is owed more compensation. He says this is due to how long the bank took to deal with his erasure request; the confusion with the 'mix up' with his personal data and the request format; the subsequent error routing his initial request; and the poor performance of the Customer Relations and Data Protection teams. What I’ve decided – and why I’ve considered all the available evidence and arguments to decide what’s fair and reasonable in the circumstances of this complaint. As the events that triggered Mr R’s dissatisfaction aren’t in dispute, I’ll focus here on what remains in dispute. This is the fair level of compensation for the distress and inconvenience Mr R suffered as a result of the bank’s failings.

-- 1 of 2 --

It is not our role to fine or penalise firms and in the circumstances of this case I find the payment made to be reasonable. When deciding a fair level of compensation for this type of complaint we consider the ‘size’ of the error(s), how long they went on for, how the bank responded and what kind of inconvenience the accountholder suffered, as well as the individual complainant’s circumstances. This is a scenario where the initial error has triggered a number of follow-on issues. And all this unfortunately created stress and anxiety for Mr R. He had to call to chase his email data erasure request, but he was given a clear answer on that call as to why his data couldn’t be erased, though no written confirmation was sent. I accept there was an unacceptable time lag between his email request and the information given on that call. However, whilst he shouldn’t have had to – Mr R could have mitigated that delay by making the follow up call sooner. And as it could not delete his data, the delay prevented the communication of this information, rather than any action the bank needed to take. Fortunately, what he recalls was said on the second call did not amount to a real issue and there was no data breach, though I accept this does not diminish Mr R’s worry after that call. Finally, NatWest apologised for the delay in responding to Mr R once the issue was logged as a complaint. In the round, I find the £100 paid to be fair and reasonable. Mr R also asked that NatWest improves its ‘data erasure request’ process. Whilst I would hope it would want to ensure it is simple and clearly communicated to customers, I cannot instruct it to do anything in this regard. Our remit is to look at individual complaints. It is the Financial Conduct Authority, the regulator, that has the power to consider systemic issues like a firm’s policies and procedures. My final decision I am not upholding Mr R’s complaint. Under the rules of the Financial Ombudsman Service, I’m required to ask Mr R to accept or reject my decision before 28 April 2026. Rebecca Connelley Ombudsman

-- 2 of 2 --