Borlabs Cookie Data Protection – Legal Requirements and Documentation

Anyone using Borlabs Cookie on a German-language website must adapt its privacy policy and disclose all processed data and its purposes. This guide helps controllers to meet the requirements of the GDPR and the TDDDG and to correctly document Borlabs Cookie.

A. Purpose and Function of Borlabs Cookie

Borlabs Cookie is a WordPress plugin for consent management (CMP). It enables operators of German-language websites to ask visitors for their consent before loading cookies and external resources – an opt-in procedure under Section 25(1) TDDDG and Art. 7 GDPR.

Core functions:

• Cookie blocking: Third-party content (YouTube, Google Analytics, Meta Pixel, etc.) is only loaded after the user has consented
• Content blocker: Blocks external content until consent is given
• Consent logging: Documents consent events in its own WordPress database
• IAB TCF support: Partial support for the IAB Transparency & Consent Framework
• Self-hosted: The plugin runs on the website operator's own WordPress installation; data remains with the website operator

The tool itself does not store any data in the cloud or with third-party providers – except for licence and update requests to Borlabs servers.

B. Mandatory Disclosures in the Privacy Policy when Using Borlabs Cookie

A legally compliant privacy policy must contain the following points:

1. Provider and contact – Borlabs GmbH (address and data protection officer published if applicable)
2. Purpose and legal basis – consent management under Section 25 TDDDG, Art. 6(1)(c) and (f) GDPR
3. Processed data – consent decisions, cookie identifier, timestamp, browser information
4. Retention period – usually 12 months (configurable)
5. Data subject rights – objection, access, erasure under Art. 15-22 GDPR
6. No profiling notes – Borlabs Cookie itself does not perform any automated profiling

C. Provider of Borlabs Cookie

Company:
Borlabs GmbH
Address: Hamburg, Germany (EU)
Website: borlabs.io
Managing director: Benjamin A. Bornschein

Special feature: Borlabs is a German provider based in the EU – the GDPR applies without restriction. Data transfers to the USA or other third countries are not carried out by the plugin itself.

For licence updates and support, Borlabs contacts its server in Germany.

D. Data Processing – Sequence in Steps

E. Data Collected by Borlabs Cookie

Directly collected by Borlabs

• Consent decisions – which cookie categories the user has accepted or rejected
• Cookie identifier – a unique identifier per session (UUID)
• Timestamp – date and time of consent submission
• Browser information – user agent, browser cookie settings (partly visible via web server logs)
• Origin URL – the page from which consent was granted (referrer)

Indirectly via web server log data

• IP address (coarse location determination)
• Access time
• HTTP method and response status
• Web browser and operating system

Classification of data

This data falls under the following GDPR categories:

• Web server log data – Art. 6(1)(f) GDPR (legitimate interest)
• Browser information – Art. 6(1)(c) GDPR (compliance), Art. 6(1)(f) GDPR
• Coarse location data (IP geolocation) – Art. 6(1)(f) GDPR
• Conversion events (consent events) – Art. 6(1)(c) GDPR (legal fulfilment)

F. Purposes of Use

Borlabs Cookie processes data for the following purposes:

G. Legal Bases for Borlabs Cookie

Tool category

Borlabs Cookie is a Consent Management Platform (CMP) as defined by the EDPB and IAB.

Applicable legal bases

1. Art. 6(1)(c) GDPR – fulfilment of a legal obligation
   The use of a CMP is a mandatory requirement to document consent under Section 25(1) TDDDG and to prove compliance with Art. 7(4) GDPR.

2. Art. 6(1)(f) GDPR – legitimate interest
   Protection against misuse, security of IT infrastructure, prevention of cookie tampering.

3. Art. 7(1) GDPR in conjunction with Section 25(2)(2) TDDDG – necessary function
   Cookies that are technically necessary to operate the consent system do not require prior consent.

4. Art. 6(1)(a) GDPR – consent (indirectly)
   Borlabs enables the controller to obtain consent under Art. 4(11) GDPR.

H. Special Features and Notes on Borlabs Cookie

• Self-hosted solution: Data remains on the website operator's server; no cloud dependency on Borlabs
• German provider: Borlabs GmbH is based in Hamburg (Germany) – GDPR fully applicable
• No third-country transfers by the tool itself: At most licence update requests to German Borlabs servers
• No DPA required for the plugin: Because the plugin is the property of the controller and does not act as a processor (Art. 28 GDPR). A DPA with the WordPress hoster may be required
• Consent log mandatory: Art. 7(4) GDPR requires controllers to be able to prove that consent was given
• No prescribed erasure deadlines: The controller can configure the retention period (usually 12 months)
• GDPR compliance not automatically guaranteed: Borlabs Cookie is only a tool; the controller bears full accountability

I. Frequently Asked Questions

J. Conclusion and CTA

Borlabs Cookie is a German, privacy-friendly consent management plugin that can meet the requirements of the TDDDG and the GDPR – if it is correctly configured and documented.

Use the Privacy Policy Generator to create a wording suitable for your website.

K. Curator

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com