InformationProcesses with Personal Data

This information is a supplement to the heiBOX Introduction. In the following, you will learn all about the use of heiBOX for processes with personal data and receive information about the records of processing activities according to the GDPR (General Data Protection Regulation).


heiBOX is a free and secure file storage with a 30 GB storage capacity for work-related purposes and is available to all University employees. It can be used to share and synchronize data on PCs and mobile devices and has functionalities similar to commercial cloud storage services (Dropbox, Google Drive).

In order for the processing of personal data to comply with data protection in terms of the LDSG and the GDPR, you as the user must take certain precautions. The important points to observe are:

  • Encryption
  • Backup/History
  • Deletion  (via "Trash")
  • Local copies (via synchronization)


heiBOX users can create a new library in the heiBOX web interface. If you encrypt this newly created library, you will be prompted to enter a password. All data in this library is thus encrypted, and only users with its password have access to the data. (Therefore, it is important to keep the password safe, as the data cannot be unencrypted even by heiBOX administrators at the URZ if the password is lost.)

In technical terms, this involves end-to-end encryption. The data is encrypted with AES 256/CBC, and the symmetric key is generated from the user password via PBKDF2, which means that decryption without a password would require enormous computational resources (several years on a Top10 HPC cluster).

Screenshot: heiBOXDSGVO_Schritt1


By default, backup copies of the libraries are kept in heiBOX for 30 days under the keyword "Versionierung". This storage period can be adjusted by the user by selecting “More Operations” for the relevant library and selecting "History Setting".

Screenshot: heiBOXDSGVO_Schritt2

In these settings, you can also choose to decline to keep any history.

Screenshot: heiBOXDSGVO_Schritt3

Deletion (via "Trash")

Libraries and files can be deleted by clicking on the trash icon. Here is an example of deleting the library "Test":

Screenshot: heiBOXDSGVO_Schritt4

While deleted files are sent to the user's trash bin, deleted libraries are sent to the system trash. Users do not have access to the system trash. Only heiBOX administrators can restore the data up to 30 days after it was deleted. After that, the data is permanently deleted. The user can access their trash bin, where the deleted files of a library can be found, by clicking on the recycle icon on the top right:

Screenshot: heiBOX:DSGVO_Schritt5

By clicking the recycle icon, you open “Trash” and can see the deleted files. Here are the files from the Test library:

Screenshot: heiBOX:DSGVO_Schritt5

 Now, you can either restore the files (with "Restore") or completely delete the older file versions by selecting "Clean". In order to delete all files, incl. older versions and deleted files from your heiBOX library, we recommend the following process:

1. Delete all files from the library you want to delete.

2. Completely delete the files in the trash of the library you want to delete by clicking on  “Clean” and selecting "all".

3. Delete the library.

Local copies (via synchronization)

If libraries are synchronized with a PC and/or mobile device, local copies of these libraries as well as the folders and files within them will be saved on these devices. These local copies are not always automatically deleted at the time a library is deleted but rather the next time heiBOX is synchronized with your device. If you don't synchronize your device, the libraries/files will not be deleted from your device.

However, it is not possible to prevent the synchronization of libraries upfront. As deletion cannot be assured through technical means, users who work with local copies of synchronized libraries and files must receive additional administrative support when personal data is being handled. For example, the individual primarily responsible for the processes could have all persons who have access to the personal data confirm in writing that all local copies have been manually deleted.


By adopting the settings mentioned in the four sections above, you can use heiBOX as a data-protection-compliant and secure data storage.