The 'cookie_cmd' cookie is used to remember form post data in cases where a page needs a reload/redirect (via JS).
It actually shouldn't survive but get deleted immediately upon the page reload, but there may be cases where this doesn't work (see Josh's comment here)
AFAIK it will only be set in the admin part (for logged-in users) but I'm not completely certain about it.
Although it does not store any personal data, from the GDPR ( DSGVO) perspective, that's nothing a visitor would have to check.
Since the cookie contains 'cryptic stuff' such as the post nonce – which is quite a long random hash – the visitor cannot know what this value actually stands for, what it stores and if it can be used to track him.
Therefore, if the cookie persists I'd mention it in your data privacy statement, just to be on the safe side.