Skip to main navigation Skip to main content Skip to page footer
Logo Kostal

Privacy statement

Below you will find the information required under Articles 13 and 14 of the General Data Protection Regulation ("GDPR") regarding the processing of your personal data when you visit (hereinafter referred to as "you" or "your") our website www.kostal.com (hereinafter referred to as "website") by Leopold Kostal GmbH & Co. KG (hereinafter referred to as "we" or "us").

A. Data controller and data protection officer

Leopold Kostal GmbH & Co. KG, An der Bellmerei 10, 58513 Lüdenscheid, info@kostal.com, telephone +49 (0) 2351 16-0.

Data protection officer of the KOSTAL Group, An der Bellmerei 10, 58513 Lüdenscheid, datenschutz@kostal.com

B. Information about the processing of personal data

Below you will find information about the processing of your personal data for the purposes specified there in more detail, as well as, among other things, the legal basis for the processing. If the legal basis for the processing is stated as the balancing of interests, you can request further information on the balancing of interests from us using the contact details provided in section A .

I. Use of the website

1. Informational use of the website

When you visit our website, we process the IP address of your device for technical reasons, i.e., to enable the website to be displayed. Without this information, we cannot provide the content of the website that you have accessed.

In addition, to protect our IT infrastructure, we process the IP address of your device, the type and version of the Internet browser you are using, information about the operating system of your device, information about the pages you have accessed, the previously visited page (referrer URL), and the date and time of access, and store this information in so-called log files.

The legal basis for this processing is the balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is to provide the content of the website accessed by the user and to protect the IT infrastructure used to provide the website, in particular to detect, eliminate, and document evidence of malfunctions (e.g., DDoS attacks). You can request further information on this balancing of interests from us using the contact details provided in Section A.

The recipient of this data is our hosting provider Microsoft Azure, which acts as a processor on our behalf. Another recipient is PSV Neo GmbH, which also acts as a processor and is responsible for developing, maintaining, and servicing the website.

We generally store this personal data in the log files for thirty (30) days. In the event of a security-related incident (e.g., an attack), we will store the log files until the security-related incident has been resolved and fully investigated.

2. Typo3

In order to provide this website, we use the Typo3 web content management system, which provides analysis functions for evaluating surfing behavior. For this purpose, information generated by cookies about the use of this website is stored in a database on a server of a service provider contractually bound to us. The data collected is anonymized by technical measures (e.g., by deleting the last digits of the IP address), including the anonymized IP address (anonymization is achieved by deleting the last digit).

The legal basis for the use of Typo3 is the balancing of interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest is the provision of the website content requested by the user and the protection of the IT infrastructure used to provide the website.

You can prevent the installation of cookies by adjusting your browser software settings accordingly. This is described in Section D.II. However, we would like to point out that this may mean that not all functions of this website can be used to their full extent.

The recipient of this data is our hosting provider Microsoft Azure, which acts as a processor on our behalf.

We store this personal data in the log files for a period of thirty (30) days. In the event of a security incident (e.g., an attack), we will store the log files until the security incident has been resolved and fully investigated.

3. Usercentrics

We use the Usercentrics Consent Manager to manage your consent, possible revocations of consent, and objections to the use of cookies.

Data processing in this context is carried out to manage user decisions regarding cookies (consent, revocation, opt-out) and to ensure the security of the application.

The IP address of your device, the type and version of the Internet browser you are using, information about the operating system of your device, information about the pages accessed, the previously visited page (referrer URL), and the date and time of access are processed. In addition, the user's decision regarding individual cookies or groups of cookies is stored at the time of the decision and the last visit.

The legal basis for processing is the balancing of interests (Article 6(1)(f) GDPR). Our legitimate interest here lies in the simple and reliable control of cookies.

The recipient of the data is Usercentrics GmbH, which acts as our processor.

We store the data for a period of 6 months. The revocation of a previously given consent is stored for three years (accountability). Server log data is anonymized before storage.

We would like to point out that it is not possible to use the website without transferring personal data, such as your IP address. There is no automatic decision-making process regarding consent to the use of cookies.

II. Job vacancies

You will also find links to job vacancies on the website. These links lead to an external website, which has its own privacy policy. You can find it here.

III. Analysis of website behavior using Google Analytics 4

If you have given your consent, the website uses the web analytics service Google Analytics 4, which is offered for persons in Europe, the Middle East, and Africa (EMEA) by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google"). We integrate Google Analytics 4 via Google Tag Manager. If you have not consented to the use of analysis tools, your data will not be collected by Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is used to analyze your usage behavior and improve our website. The access data is aggregated by Google on our behalf into pseudonymous usage profiles and transferred to a Google server in the USA. We will process the information obtained to evaluate your use of the website and to compile reports on website activity.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions if there is not enough data available to optimize the evaluation and reports. You can find more info on this in the relevant Google documentation. Data analysis is performed automatically using artificial intelligence or based on specific criteria defined individually. For more information, please refer to the relevant Google documentation.

The data collected as part of the usage analysis by Google Analytics 4 is enriched with data from Google Search Console and linked to data from Google Ads in order to measure the success of our advertising campaigns (so-called conversions).

Processed data: Google Analytics 4 may process the following data:

  • IP address;
  • User ID and device ID;
  • Referrer URL (previously visited page);
  • Pages accessed (date, time, URL, title, duration of visit);
  • Downloaded files;
  • links to other websites clicked on;
  • Achievement of specific goals (conversions);
  • technical information (operating system; browser type, version, and language; device type, brand, model, and resolution);
  • Approximate location (country, region, and, if applicable, city, based on anonymized IP address).

Privacy settings: We have made the following privacy settings in Google Analytics 4:

  • Anonymization of the IP address;
  • Advertising feature disabled;
  • Personalized advertising disabled;
  • Remarketing disabled;
  • retention period of 2 months (and no reset of the retention period in the event of new activity);
  • Cross-device and cross-site tracking (Google Signals) disabled;
  • Data sharing disabled (in particular Google products and services, benchmarking, technical support, account specialist).

We have entered into a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred by Google Ireland Limited to the US, Google Ireland Limited and Google LLC have entered into standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) in accordance with Art. 46 (2) lit. c GDPR. In addition, we also obtain your express consent in accordance with Art. 49 para. 1 lit. a GDPR for the transfer of your data to third countries.

Further information on Google Analytics 4 can be found in Google's privacy policy and in the Google Analytics privacy policy. Further information on the cookies used by Google Analytics 4 can also be found in Google's documentation.

C. Third-party plug-ins

The third-party plug-ins described below are integrated into our website. These enable you to use certain services provided by external providers directly on our website. These third-party plug-ins are provided under the responsibility of the provider named below.

Plug-in providers may (similar to when you visit an external website via a link) receive your IP address and the address (URL) of the website from which you accessed the plug-in. If you are registered as a user with the third-party provider, the plug-in provider can usually also assign the data received to your user account.

I. YouTube

YouTube video player is integrated to our Website. The third-party provider of this plug-in is YouTube LLC. This is a company under US law. Information about YouTube can be found here, and the privacy policy of YouTube LLC can be found here. There you will find information about the processing of personal data by YouTube LLC. YouTube is a subsidiary of Google. The information on the transfer of personal data to the US in Section B. therefore applies accordingly.

II. Google Tag Manager

Our website uses the Google Tag Manager service, which is provided for users in the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, and for all other users by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (together "Google").

Google Tag Manager is used exclusively for the management of website tools through the integration of so-called website tags. A tag is an element that is stored in the source code of our website in order to execute a tool, for example through scripts. If these are optional tools, they will only be integrated by Google Tag Manager with your consent. Google Tag Manager does not use cookies.

The legal basis is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, which you can give via Access to and storage of information on the end device is then based on the implementation laws of the e-Privacy Directive of the EU member states, in Germany in accordance with Section 25 para. 1 TTDSG. You can revoke your consent to the use of the tools at any time. To do so, click on "Privacy settings" at the bottom of the page, which will bring up the cookie banner again and allow you to select or deactivate individual tools.

For the purpose of ensuring stability and functionality in the use of Google Tag Manager, Google collects information about which tags are integrated by our website, but generally no personal data, in particular no data about usage behavior, IP addresses, or the pages visited.

We have concluded a data processing agreement with Google. In the event that personal data is transferred to the USA, we have concluded standard contractual clauses with Google.

For more information, please refer to Google's information on Tag Manager: support.google.com/tagmanager/answer/9323295

III. Maptoolkit

We use the Maptoolkit map service to display maps on our website. Maptoolkit is provided by Toursprung GmbH, Mariahilfer Str. 93/20, 1060 Vienna, Austria. When you access the content of our website, you will be connected to the servers of Toursprung GmbH. Your IP address and possibly browser data such as your user agent will be transmitted. This data is processed exclusively for the above-mentioned purposes and to maintain the security and functionality of Maptoolkit. The IP address is technically anonymized before any further processing. It is not possible to trace this data back to individual persons.

The aforementioned data is only stored for the duration of use. Further information can be found in the privacy policy at www.maptoolkit.com/de/privacy/.

D. Use of cookies

When you use our website, we store cookies in your browser unless you prevent this by adjusting your browser settings.

I. General information about cookies

Cookies are small text files containing information that can be stored on the user's device via the browser when visiting a website. When the website is accessed again using the same device, the cookie and the information stored in it can be read.

In principle, and also in the description of the individual cookies we use in section D.III , a distinction is made between (i) first-party and third-party cookies, (ii) transient and persistent cookies, and (iii) cookies that do not require consent and cookies that require consent.

First-party cookies are those set by us or a processor commissioned by us. Third-party cookies, on the other hand, are those set and accessed by another controller.

Transient cookies are deleted when you close your browser. Persistent cookies, on the other hand, are those that are stored on your device for a certain period of time.

Cookies that do not require consent are those whose sole purpose is to carry out the transmission of a message via an electronic communications network. Cookies that are strictly necessary for the provider of an information society service expressly requested by the participant or user to provide that service (also known as "strictly necessary cookies") also do not require consent. All other cookies require consent.

II. Cookie management

Insofar as the use of certain cookies requires the user's consent, we only use these cookies when you use the website if you have given your consent beforehand. For information on whether consent is required for the use of a cookie, please refer to section D.III .

When you visit our website, we display a "cookie banner" in which you can declare your consent to the use of cookies on this website by clicking a button. By clicking the button provided for this purpose, you have the option of consenting to the use of all cookies requiring consent as described in detail in section D.III of this cookie information.

We also store your consent and, if applicable, your individual selection of cookies requiring consent in the form of another cookie ("opt-in cookie") on your device so that we can determine whether you have already given your consent when you visit the website again. The opt-in cookie has a limited validity period of one (1) month.

Cookies that are strictly necessary cannot be deactivated via the cookie management function of this website. However, you can deactivate these cookies at any time in your browser.

You can also manage the use of cookies in your browser settings. Different browsers offer different ways to configure cookie settings in your browser. For more detailed information, please visit www.allaboutcookies.org/ge/cookies-verwalten/.

If you disable the storage of cookies in your browser, some functions of the website may not work or may no longer work properly.

Your consent is given in the cookie banner Art. 6 para. 1 sentence 1 lit. a GDPR, which you give via the consent banner or in the respective tool itself by individually permitting its use via a banner (overlay) placed above it. Access to and storage of information on the end device is then based on the implementing laws of the e-Privacy Directive of the EU member states, in Germany pursuant to Section 25 (1) TTDSG. You can revoke your consent to the use of the tools at any time. To do so, click on "Privacy Settings" at the bottom of the page, which will bring up the cookie banner again and allow you to select or deactivate individual tools.

III. Cookies used on this website

Below you will find information about the cookies we use.

1. Name: UC_setting and/or uc String

Purpose and content: Absolutely necessary opt-in cookie (see section II above) for storing your consent and, if applicable, your individual selection for the use of cookies on your device in order to determine whether you have already given your consent when you visit the website again. Responsibility: First-party. Validity: transient. Consent required: no. Legal basis for processing: Balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is the management of cookie consents given by the user for this website.

2. Name: ucData (optional)

Purpose and content: Opt-in cookie that is absolutely necessary to store your consent and, if applicable, your individual selection for Google Consent Mode. Responsibility: First party. Validity: transient. Consent required: no. Legal basis for processing: Balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is the management of cookie consents given by the user for this website.

3. Name: ASLBSA

Purpose and content: This cookie is used to provide a load balancing function. Responsibility: First-party. Validity: transient. Consent required: no. Legal basis for processing: Balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is to ensure the security of our website.

4. Name: ASLBSACORS

Purpose and content: This cookie is used to provide a load balancing function. Responsibility: First-party. Validity: transient. Consent required: no. Legal basis for processing: Balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is to ensure the security of our website.

5. Name: INGRESSCOOKIE

Purpose and content: This cookie is used to store information in forms, for example contact forms, changes to the shopping cart. Responsibility: First-party. Validity: transient (session). Consent required: no. Legal basis for data processing: balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). Our legitimate interest is to provide the informational function of the website requested by the user.

6. Name: _ga

Purpose and content: This cookie is used by Google Analytics (see Sections B IV and V) and serves to distinguish users by means of an assigned ID. Responsibility: First-party. Validity: persistent (two (2) years). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

7. Name: ga <container-id>

Purpose and content: This cookie is used by Google Analytics (see Sections B IV and V) and is used to ensure that the session status is maintained. Responsibility: First-party. Validity: persistent (two (2) years). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

8. Name: __ga_Z7P6DYSK41

Purpose and content: used by Google Analytics (see section B), serves to throttle the request rate, i.e. the maximum number of requests sent to Google's servers. Responsibility: First party. Validity: persistent (one (1) month and 3 days). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

9. Name: sak

Purpose and content: Stores information about video preferences. Responsibility: First-party. Validity: Session. Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

10. Name: LAST_RESULT_ENTRY_KEY

Purpose and content: This cookie is used to store user settings when accessing a YouTube video embedded on other websites. Responsibility: First party. Validity: Session. Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

11. Name: yt-player-bandaid-host, yt-player-bandwidth, yt-player-headers-readable

Purpose and content: This cookie is used to determine the optimal video quality based on the visitor's device and network settings. Responsibility: First-party. Validity: Session. Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

12. Name: yt-remote-cast-installed, yt-remote-connected-devices, yt-remote-device-id, yt-remote-fast-check-period, yt-remote-session-app, yt-remote-session-name

Purpose and content: This cookie is used to store the user's video player settings with embedded YouTube videos. Responsibility: First-party. Validity: Session. Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

13. Name: YEC

Purpose and content: This cookie is used to store the user's video player settings with embedded YouTube videos. Responsibility: Third party. Validity: persistent (1 year 1 month. Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

14. Name: CONSENT

Purpose and content: This cookie is used to embed videos from YouTube (see section C) on the website. Responsibility: Third party. Validity: persistent (19 years). Consent required: yes

15. Name: DEVICE_INFO

Purpose and content: This cookie is used to track the user's interaction with embedded content. Responsibility: Third party. Validity: persistent (5 months 26 days). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

16. Name: remote_sid

Purpose and content: This cool cookie is used to enable the implementation and functionality of YouTube video content on the website. Responsibility: First party. Validity: Session. Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

17. Name: test_cookie

Purpose and content: The cookie is set on a trial basis to check whether the browser allows cookies to be set. Does not contain any identifying features. Responsibility: Third party. Validity: persistent one (1) day. Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

18. Name: NID

Purpose and content: This cookie is used to embed videos from YouTube (see section C.CI ) on the website. Responsibility: Third party. Validity: persistent (6 months). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

19. Name: PREF

Purpose and content: This cookie is used to embed videos from YouTube (see section C) on the website. Responsibility: Third party. Validity: persistent eight (8) months. Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

20. Name: VISITOR_INFO!_LIVE

Purpose and content: This cookie is used to embed videos from YouTube (see section C.CI ) on the website. Responsibility: Third party. Validity: persistent (6 months) Requires consent: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

21. Name: YSC

Purpose and content: This cookie is used to embed videos from YouTube (see section C.II ) on the website. Responsibility: Third party. Validity: Session. Consent required: yes

22. Name: pm_sess

Purpose and content: This cookie is used to maintain the browser session. Responsibility: Third party. Validity: persistent (30 minutes). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

23. Name: CGIC

Purpose and content: This cookie is used to provide search results by automatically completing search queries based on a user's initial input. Responsibility: Third party. Validity: persistent (6 months). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

24. Name: UULE

Purpose and content: This cookie is used to determine the geographical location of the user. Responsibility: Third party. Validity: persistent (6 hours). Consent required: yes. Legal basis for processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

25. Name: Secure-Yec

Purpose and content: This cookie is used to store the user's video player settings with embedded YouTube videos. Responsibility: Third party. Validity: persistent (1 year 1 month Requires consent: yes. Legal basis for data processing: consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

26. Name: _Secure_Rollout_Token

Purpose and content: These cookies are used by YouTube to manage the gradual introduction of new features and updates. This means that they help assign users to specific test groups for new features that are being tested on the platform. Responsibility: First-party. Validity: persistent (180 days). Consent required: yes. Legal basis for data processing: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

E. Information about the rights of data subjects

As a data subject, you have the following rights with regard to the processing of your personal data, which you can exercise by contacting us using the contact information provided in the section A :

  • A right to information (Art. 15 GDPR) about which personal data we process about you. This includes further information about the data processing, such as the purpose and legal basis, as well as the recipients of this data. You also have the right to request a copy of this data.
  • The right to request that we correct any inaccurate personal data concerning you and complete any incomplete personal data (Art. 16 GDPR).
  • A right to request the erasure of personal data concerning you in cases provided for by law (Art. 17 GDPR), for example if the data is no longer required for the purposes for which it was collected or if it has been processed unlawfully.
  • A right to request the restriction of processing in cases prescribed by law (Art. 18 GDPR).
  • A right to receive the personal data concerning you that we process on the basis of your consent or for the performance of a contract (see section B ) in a structured, commonly used and machine-readable format (right to data portability, Art. 20 GDPR).
  • The right to withdraw your consent at any time. This does not affect the lawfulness of the processing carried out until the withdrawal.
  • A right to lodge a complaint with a supervisory authority (Art. 77 GDPR). A list of data protection supervisory authorities with their addresses can be found here.

Right to object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 (1) (f) GDPR (see section B ). We will then no longer process the personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

You may not be entitled to the above rights in all cases. The law provides for restrictions in each case. You can find the full scope of your rights in the above articles, which you can access at the following link: eur-lex.europa.eu/legal-content/DE/TXT/HTML/.

1st of June, 2025