Complianz and Data Protection – What Belongs in the Privacy Policy

Anyone operating a website with cookies, tracking tools, or other technologies that are stored on or access end-user devices needs a reliable consent management system. Complianz is such a WordPress plugin and runs as a self-hosted solution on the operator's own installation. This document shows what information on the use of Complianz belongs in the privacy policy, what data processing operations take place, and how legal admissibility is to be classified under the GDPR and the German TDDDG.

A. Purpose and Function of Complianz

Complianz is a WordPress plugin for consent management (CMP) and is developed and maintained by Complianz B.V. (Netherlands). The core functions are:

• Cookie banner and consent form: A button or modal dialog on the website by means of which visitors can give or refuse their consent to cookies and tracking tools.
• Consent logging: Users' decisions are logged with timestamp and (where applicable, anonymised) user ID.
• Cookie scan: The plugin scans the WordPress installation for installed cookies and scripts and assigns them to categories.
• Policy generator: Complianz automatically generates a privacy policy and a cookie banner based on the detected and configured cookies.

Technically, Complianz is a self-hosted plugin: It runs on the website operator's own WordPress installation and typically stores consent logs in its own WordPress database. The plugin only communicates with the Complianz servers (EU) for updates, licence verifications, and where additional services are activated (e.g. extended cookie scans).

B. Mandatory Disclosures in the Privacy Policy When Using Complianz

Operators of a website on which Complianz is used must transparently disclose the following points in their privacy policy:

1. Use of a consent management system and its provider (Complianz B.V., Netherlands)
2. Legal bases for processing consent decisions (cf. Section G)
3. Types of data processed (cf. Section E)
4. Purposes of use (provision of functionality, compliance, evidence)
5. Retention period of consent logs
6. Disclosure to third parties (where applicable, e.g. for cookie scan services)
7. Data subject rights under Art. 12–22 GDPR

A sample text template could read:

On our website we use the consent management plugin Complianz (provider: Complianz B.V., Netherlands). The plugin records your consent decisions regarding cookies and tracking tools and generates a privacy policy based on your configuration. The data collected is stored in our own WordPress database and serves to provide evidence of your consent and to ensure compliance with Art. 7 GDPR.

C. Provider of Complianz

Name and address:

• Complianz B.V.
• Registered office: Netherlands (EU)
• Website: complianz.io

Special feature in self-hosted operation: Since Complianz runs as a plugin on the operator's own WordPress installation, Complianz B.V. is not a direct data recipient for consent logs and user IP addresses. Consent decisions remain on the website operator's own servers. Complianz can at most:

• Retrieve updates and security patches
• Verify licence status
• Collect anonymised usage statistics (if activated)
• Offer cookie scan services as part of additional paid features

Should the operator make use of optional cloud services (e.g. extended cookie analysis), these must also be disclosed in the privacy policy.

D. Data Processing – Procedure in Steps

The processing of consent data by Complianz follows this scheme:

E. Data Collected by Complianz

Complianz processes the following categories of data:

Direct relation to consent decisions

• Consent status (accepted/rejected per cookie category)
• Timestamp of the decision
• User ID or cookie-based identification (mostly anonymised or pseudonymised)

Environment data (if activated in the plugin)

• IP address of the visitor (may be anonymised or not stored, depending on configuration)
• Browser type and version
• Operating system
• Coarse location data (geo-targeting at country or city level, if configured)

Processing events

• Conversion events (e.g. user submitted a form after accepting cookies)
• Activity log when extended features are activated

This data can be divided into three classes:

1. Web server log data (standard HTTP logs)
2. Browser information (user agent, viewport size, etc.)
3. Consent and conversion events (business-relevant operations)

F. Purposes of Use

The processing of consent data by Complianz pursues several purposes:

• Provision of CMP functionality: So that the plugin can store and retrieve consents
• Security and abuse protection: To detect bot traffic or unusual patterns
• Compliance with data protection requirements: Evidence of consent under Art. 7 GDPR; fulfilment of § 25 TDDDG
• Legal enforcement and prosecution: Where necessary to assert legal claims or to detect violations

G. Legal Bases for Complianz

The processing of consent data by Complianz is based on several legal bases:

1. Legal Obligation (Art. 6(1)(c) GDPR in conjunction with Art. 7 GDPR)

The operator of a website is obliged to provide evidence of users' consent to cookies. Art. 7 GDPR requires the controller to "be able to demonstrate that the data subject has consented to the processing of his or her personal data". Complianz helps to fulfil this evidentiary obligation by creating consent logs.

Legal basis for the storage of the logs themselves: Art. 6(1)(c) GDPR (compliance with a legal obligation).

2. Legitimate Interest (Art. 6(1)(f) GDPR)

In addition, processing may be justified by a legitimate interest of the operator:

• Compliance and legal certainty: The operator has a legitimate interest in demonstrating the conformity of its website with the GDPR and the TDDDG
• Protection from liability: By providing evidence of consent, the operator can defend itself against allegations of data protection violations
• Operational efficiency: Automated consent management reduces administrative burden

A balancing of interests under Art. 6(1)(f) GDPR generally tips in favour of the operator, since users' interests (protection from tracking) are sufficiently safeguarded by the option to refuse cookies.

3. Technical Necessity (§ 25(2) No. 2 TDDDG)

The German Telecommunications Data Protection Act (TDDDG) regulates the use of cookies. § 25(2) No. 2 TDDDG permits the storage of consent in a cookie, provided that such storage is technically necessary in order to document the consent. Complianz sets a "consent cookie" that stores the user's decision – this cookie is subject to the technical necessity exception under § 25(2) No. 2 TDDDG.

H. Special Features and Notes on Complianz

Self-Hosted Model

In contrast to cloud-based CMPs, consent data with Complianz remains on the operator's own WordPress installation. This reduces data disclosure to third parties and can simplify compliance.

Communication with Complianz Servers

The plugin regularly sends information to the Complianz servers for licence verification and to retrieve updates. This communication should be disclosed in the privacy policy if IP addresses or other personal data are transferred.

Cookie Scan and Policy Generator

Should the operator use the automated cookie scan or extended policy generator services, a connection to the Complianz servers (EU data centres) takes place. This must also be mentioned in the privacy policy.

European Provider

Complianz B.V. is based in the European Union (Netherlands), so no third-country transfers under Chapter V GDPR are required. This simplifies compliance.

Regular Updates Required

Since the plugin is actively further developed, the operator should regularly install security updates in order to close vulnerabilities and to ensure data protection compliance.

I. Frequently Asked Questions (FAQ)

J. Conclusion and Next Steps

Website operators should:

1. Specify Complianz in the privacy policy and list the categories of data processed
2. Regularly review consent logs and delete them after the retention period
3. Install plugin updates in order to close security vulnerabilities
4. Configure cookie settings granularly so that users can refuse tracking
5. Optional: conduct a data protection audit in order to verify compliance

Reliable legal support is provided by a specialised data protection officer or data protection lawyer.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com