[nickff]

>"If I store my documents on a free account for a one time send to the university application and then I forget about it, then Dropbox should purge it after a time to protect my data, as I don't have any "contract" with them like a subscription or something."

I found this sentence interesting, as it contained positive and normative statements that I disagree with, with a non-sequitor between them. You say that you have no contract with them, even though you agreed to some sort of 'user agreement'. Then you say that you forgot about it, and that makes your faulty memory their problem. They have to make sure your data is secure for you because you... just don't bother to pay any attention to where you're leaving it? Should they also be responsible for checking your password against known breaches, to make sure it's not compromised? Where does this end?

[_hzrk]

Yes, they should check for any possible breaches. As any other responsbile company already does, like AWS for example which not only checks for breaches, but also scans public repositories like GitHub and GitLab for leaked credentials. A company should also warn a user from time to time that the respective needs to update his password, some companies are so careless that they don't even pay attention to this latter small detail. Or at least to warn an account holder that he still has an account with them.

> and that makes your faulty memory their problem

It is not only memory that is flawed in humans. Hence the protective measures I'm proposing.

> against known breaches

What about the unknown ones? How do you protect your user's account when under GDPR Dropbox is the controller of the data? By sending mails ocassionally to update the password, to adopt 2FA, by locking account due to suspicious activity or to purge it in the end if no further action is taken. It ends with the deletion of the user.