Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Header-Anwalt-Rechtsanwalt-Kanzlei-MTR Legal Rechtsanwälte
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
MTR Legal Rechtsanwälte Logo
Contact
Berlin | Dusseldorf | Frankfurt | Hamburg | Cologne | Munich | Stuttgart
Contact

Legal Lexicon

Wiki»Legal Lexikon»M&A»Proxy

Proxy

Term and Definition of Proxy

The term “proxy” comes from English and literally means “representative” or “authorized agent.” In information technology (IT), a proxy is used as an intermediary between a client (e.g., a computer, browser, or software) and a server. In a legal context, “proxy” refers to both a technical tool and the related legal issues concerning data protection, copyright, telecommunications law, criminal law, and civil liability. The use of proxies is subject to a variety of legal requirements, especially concerning lawful usage, liability issues, data protection rules, and country-specific legislation.

Technical Basics and Functionality

A proxy server acts as an intermediary in the transfer of data between the end user and the actual target server. This technical relay often also performs filtering and logging functions or conceals the user’s IP address. Depending on the purpose of use, different types of proxies are distinguished, for example, “forward proxy,” “reverse proxy,” “open proxy,” as well as specialized applications such as “web proxy” and “SOCKS proxy.”

Legal Relevance and Classification of Proxies

Data Protection Aspects (GDPR and BDSG)

The assessment of proxy server use under data protection law, is carried out in particular according to the requirements of the General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG). Proxies can process and store personal data such as IP addresses. This results in obligations regarding data security, transparency, information duties, and possible data subject rights (e.g., access, erasure, objection). Depending on the type of use, it may be necessary to conclude a data processing agreement with the proxy server provider.Risks and Obligations:

  • Logging and Storage of Usage Data
  • Use of Anonymous Proxies and Effects on Traceability
  • Transfer of Personal Data to Third Countries through International Proxy Providers
  • Implementation of Technical and Organizational Measures According to Art. 32 GDPR

Liability Issues

Responsibility of Operators

The operator of a proxy server can be held civilly and criminally liable in the event of unlawful use. Crucial is the status as a so-called “service provider” in accordance with § 2 No. 1 Telemedia Act (TMG) or as a controller within the meaning of the GDPR.
Within the framework of the Telemedia Act, liability privileges exist under certain conditions for mere transmission (access providers) and caching (§§ 8, 9 TMG). Further obligations to monitor and act may arise for proxy operators when they become aware of legal infringements (“disturber liability”).

User Responsibility

The individual user of a proxy service can also be held liable, for example, when circumventing access restrictions, concealing copyright infringements, or committing criminally relevant actions (e.g., cyberattacks, distribution of illegal content). The use of proxies does not remove the original user’s responsibility; prosecution is still possible, albeit with greater investigative effort.

Permitted and Prohibited Purposes of Use

Circumventing Geoblocking

A common use case for proxies is bypassing so-called “geoblocking” mechanisms when accessing content on the Internet. Circumventing such access restrictions can, depending on the respective terms of use and copyright law, be considered a circumvention of technical protection measures and thus a legal infringement (§§ 95a ff. UrhG).

Anonymization and Protection of Privacy

The legitimate use of proxies to protect privacy and prevent tracking is generally permitted. However, the legal limitations of data protection and the specific terms of service for each service must still be observed.

Use in Companies and Public Institutions

Companies and authorities often use proxies for security purposes, to manage network traffic, and to comply with compliance requirements. The processing and logging of employee data via company-owned proxies are subject to specific labor and data protection regulations.

Country-Specific Regulations and International Guidelines

The legal assessment of proxy services may differ significantly depending on the legal system. Some countries have strict bans or restrictions on the use and provision of proxies (e.g., Russia, China, Iran). In other countries, the use of anonymization services is limited by legal requirements (obligations for monitoring, data retention).

Where proxies are used internationally, in particular where personal data are transmitted abroad, the rules on international data protection as well as any notification and approval obligations apply.

Criminal Relevance and Investigative Measures

Proxy services are often the focus of police and prosecutorial investigations, especially in the context of Internet crime (“cybercrime”). The use of a proxy service to conceal one’s identity is not generally punishable. However, it becomes relevant if further criminal acts are committed through its use or investigations are obstructed (§ 258 StGB, obstruction of justice). Law enforcement agencies have technical means and legal grounds to trace even concealed connection data.

Civil Law Issues and Claims for Damages

If the use of a proxy server infringes the rights of third parties, for example, by circumventing technical protection measures, defamation, libel, or copyright infringement, claims for injunctive relief and damages can be asserted under §§ 1004, 823 BGB or §§ 97 ff. UrhG. Questions of responsibility and liability are examined on a case-by-case basis and depend, among other things, on the role as the perpetrator or accessory, as well as whether the proxy service operator breached their duty of care or became aware of infringements.

Summary and Legal Assessment

The use of proxies is technically widespread and highly relevant legally. Numerous data protection, liability, and criminal law questions arise under German and European law. The specific purpose, concrete configuration of the proxy service, as well as national and international laws determine the legal framework. In particular, proxies may not be used to circumvent protection mechanisms or for unlawful activities. Operators and users should carefully observe legal requirements, especially in data protection law, copyright law, and telemedia law, to avoid liability risks.

Literature and Further Sources

  • General Data Protection Regulation (GDPR)
  • Telemedia Act (TMG)
  • Federal Data Protection Act (BDSG)
  • Copyright Act (UrhG)
  • German Civil Code (BGB)
  • Criminal Code (StGB)
  • Federal Office for Information Security (BSI) – Technical Guidelines
  • European Commission – Guidelines on Geoblocking and Data Protection

Note: This article serves as general legal information. An individual assessment in each case is always recommended.

Frequently Asked Questions

Is the use of proxies generally legal in Germany?

The use of proxies to conceal one’s own IP address or to bypass geoblocking is generally not prohibited per se in Germany. However, the legal permissibility always depends on the specific purpose for which the proxy is being used. For instance, if a proxy is used to commit copyright infringements (e.g., bypassing country restrictions for streaming services or unauthorized access to protected content), this may constitute a copyright infringement under §§ 16 ff. UrhG or circumvention of effective technical protection measures under § 95a UrhG. Circumventing website access restrictions may also violate the terms and conditions of the respective service and have civil law consequences. Criminal relevance further depends on whether the proxy is used to conceal or prepare criminal acts (e.g., fraud, data espionage). Therefore, merely using a proxy is permitted as long as no illegal activities are conducted.

Can companies prohibit their employees from using private proxies?

Companies are entitled to establish rules for Internet use on company devices and within the corporate network. Under the employer’s right of direction according to § 106 GewO, the employer may prohibit the use of proxies to prevent security risks such as data leakage or bypassing IT security measures. Violations of such rules may have employment law consequences, ranging from warnings to termination in the case of repeated or severe breaches. In terms of data protection, companies must transparently state if and how they monitor network traffic, possibly to check compliance with such rules. Monitoring must meet the standards of necessity and proportionality (Art. 5, 6 GDPR).

Is the operator of a proxy server liable for the content transmitted?

The liability of the proxy operator is governed by the principles of “liability for service providers” as stipulated in the Telemedia Act (TMG). According to § 8 TMG, service providers are generally not responsible for third-party information which they transmit in a communications network or provide access to, as long as they do not influence the transmission or adopt the content as their own. However, this limitation of liability ceases to apply if the operator becomes aware of illegal activities and does not act (notice-and-takedown principle). If the operator intentionally supports criminal activities through targeted anonymization or obfuscation, criminal liability aspects (aiding and abetting) may also become relevant. Proxy operators are generally not obligated to monitor content, but are obligated to act when made aware of specific illegal content.

Is it a criminal offense to use proxies to bypass geo-blocks?

Bypassing geo-blocks using a proxy can touch on various legal provisions. According to current law, simply bypassing geoblocking usually does not constitute a criminal offense. However, civil law aspects may apply: many streaming or media providers have terms of use that prohibit bypassing geo-blocks. Violations may result in termination of contract or claims for damages. Criminal issues only arise if the circumvention also violates copyright or other protective laws, for example, by accessing content for which no license exists in the country of residence — here, in particular, violating technical protection measures (§ 95a UrhG) may apply.

What data protection risks arise from using third-party proxies?

Using third-party (especially free) proxies poses significant data protection risks, as all data transmitted through the proxy can potentially be read, stored, or manipulated by the operator. Under the GDPR (Art. 5, 32), personal data must always be protected with appropriate technical and organizational measures. If you use a third-party proxy, you effectively transfer control over your data to a third party, whose identity, location, or security measures you usually do not know. When used in a professional context, this can constitute a violation of company data protection rules or telecommunications secrecy (§ 88 TKG). Public authorities and companies must ensure that no personal or confidential information is transmitted externally via insecure proxies.

Must the use of proxies be documented or reported?

For private individuals, there is generally no obligation to document or report the use of proxies. However, for companies and public authorities — especially in the context of IT compliance, data protection, and IT security policies (e.g., under Art. 30 GDPR or the IT Security Act) — there may be a documentation obligation for technical security measures in use. This includes, in particular, transparency regarding the systems and tools used, which may include proxies if they serve purposes such as anonymization, encryption, or as part of a multi-level security concept. In addition, companies should document the proper use to be able to demonstrate what measures have been taken to protect data in the event of data breaches or security incidents.

What penalties can be imposed for abusive proxy use?

Anyone who uses proxies to commit crimes, such as hacking, fraud, or mass circumvention of copyright barriers, must expect criminal and civil law consequences. The possible penalties depend on the offense – ranging from fines to imprisonment (e.g., § 202a StGB – data espionage, § 263 StGB – fraud, § 106 UrhG – copyright infringement, etc.). Additionally, in civil law, claims for injunctive relief and damages can arise. In particularly serious cases involving commercial motives, additional aggravations may apply. Also, making it more difficult for law enforcement authorities to investigate (e.g., by cascading proxies) may be considered an aggravating factor in sentencing.

Auf dieser Seite

Further term explanations