Privacy Notice

Welcome to our website and thanks for your interest in Somnitec AG (hereinafter referred to as ‘Somnitec’). As a company of the FERNAO Group, data protection is very important at Somnitec. With this in mind, we would like to provide information on the type and scope of data processing we carry out, in particular which personal data we may collect when you visit our website and for which purposes we use this data. At Somnitec, personal data is always processed in compliance with the country-specific data protection regulations to which Somnitec is subject (Swiss Data Protection Act, the associated ordinance and in accordance with the EU General Data Protection Regulation (GDPR)). The GDPR requires us to specify the legal bases on which we process personal data, which is why we shall refer to the corresponding articles of the GDPR below.

In addition, we would like to provide you, the data subject, with information on the processing we carry out at Somnitec and your rights in this regard.

As we may be required to update this Privacy Notice following changes to regulations or our internal processes, we kindly ask you to read through this Privacy Notice on a regular basis. You can read, save and print this Privacy Notice at any time.

Section 1: Controller

The controller on this website is:

Somnitec AG
Bahnhofstrasse 270
4563 Gerlafingen

The controller is responsible for deciding on the purpose and means used to process personal data (names, contact information, etc.), either alone or by consulting others.

Section 2: Contact partner for data protection queries

You can contact the controller’s contact partner for data protection queries using the following information:

Vireak Soeur (Somnitec AG)
Bahnhofstrasse 270
4563 Gerlafingen

Our representative in the European Union is:

VGS Datenschutzpartner UG
Am Kaiserkai 69
20457 Hamburg

Section 3: Processing and retention periods

In the following section, we provide information on the specific purposes along with the type and scope of personal data processing we carry out in relation to the use of our website. In addition, we will also state the legal bases on which the respective data processing is carried out and the retention periods that are determined on the basis of objective criteria where necessary.

1. Website provision

When you visit and use our website, we collect certain personal data automatically sent to our servers by your browser. This information is then temporarily stored in a server log file. We collect the following data when you visit and use our website:

•    IP address
•    Pages visited on our domain
•    Date and time of the server request
•    Browser type and version
•    Operating system used and name of the access provider, if applicable
•    Referrer URL (website from which you were referred to us)
•    Host name of the accessing computer
•    Name and URL of accessed files

This data is strictly necessary to deliver our website to you and ensure its stability and security. As a result, this data is processed on the legal basis of Art. 6(1) lit. f GDPR and serves to protect our legitimate interests in terms of providing our website. It is not merged with data from other sources.

Server log files are kept for a 7-day retention period. The collection of data to deliver our website and ensure the stability and security of our website, including the subsequent storage thereof in server log files, is strictly necessary for the operation of our website. As follows, users are not entitled to object to this processing. Storage beyond the above retention period may occur in individual cases where permitted by law.

2. Contact options

If you want to send a query, ask a question regarding our products and services or receive information on our company, you are welcome to use the contact form or the various email addresses published on our website. If you opt to get in touch using one of the above contact methods, we will process the following personal data (mandatory information marked with *):

•    Surname*
•    First name*
•    Company*
•    Job title
•    Email address*
•    Phone number*
•    Subject and content of your message*

We will solely use your data, including your contact information, to file and process your message or to be available for subsequent communication. No data is passed on to third parties.

The processing described above in relation to contacting us generally takes place on the legal basis of Art. 6(1) lit. f GDPR to protect our legitimate interests. In this case, our legitimate interest lies in our ability to respond to your message and provide you with an adequate response. If you contact us to receive a quote for our products or services, the processing takes place on the basis of Art. 6(1) lit. b GDPR, namely processing for the performance of a contract or in order to take steps prior to entering into a contract.

Data disclosed to us for the purpose of processing your query shall be stored until they are no longer required to perform a contract or take steps prior to entering into a contract, or are no longer required to protect our legitimate interests (defend against or assert legal claims, documentation required under data protection legislation, etc.). Mandatory statutory retention periods may justify longer storage in certain cases.

3. Newsletter subscription

In order to subscribe to our newsletter, you first need to provide your name and email address. The email address provided is then verified via a confirmation link in a separate email. This step is required in order to receive our newsletter on a regular basis. No further data is collected. Any further disclosures are made on a voluntary basis. This information is solely used for the purpose of sending the newsletter.

The data specified above is only collected on the basis of your consent as per Art. 6(1) lit. a GDPR and solely used for the purpose of sending the newsletter. The newsletter contains information on Somnitec as a company, its products and services along with upcoming online events and latest developments in the IT security industry. You reserve the right to withdraw previously granted consent at any time. An informal notification sent by email or post to the contact information listed in Sections 1 or 2 suffices to withdraw your consent. You can also unsubscribe from the newsletter by clicking on the ‘Unsubscribe’ link in the newsletter. The legality of the data processing carried out up to the point of withdrawal remains unaffected by the withdrawal of your consent.

Data used to set up your newsletter subscription shall be erased if you unsubscribe or withdraw your consent. If this data was disclosed to us for other purposes or elsewhere, we shall continue to store it.

4. Applications

We collect the following data (either ourselves or through a third party appointed by us) from you when you register an application as a job seeker:

•    Personal information (name, address, marital status, etc.)
•    Contact information (email address, phone number)
•    Information on your professional qualifications and education
•    Information on your career and current work situation
•    Other information you disclose in relation to your application, if applicable

If you have sent us this information in relation to the application form, it will be recorded and stored in our online application tool. The same applies to applications sent to us by email or post. Any other information disclosed to us in phone calls or personal conversations may likewise be stored in the application tool in the form of logs, for example.

Where processing of the aforementioned data is required to make a decision on whether the establish an employment relationship, this processing takes place on the basis of Art. 6(1) lit. b and Art. 88 GDPR in conjunction with Section 26 BDSG. Furthermore, we may process personal data disclosed by you as part of the application process where required in order to meet our legal obligations as per Art. 6(1) lit. c GDPR.

If we establish an employment relationship with you, we may continue to process personal data already received from you to establish the employment relationship in accordance with Art. 6(1) lit. b and Art. 88 GDPR in conjunction with Section 26 BDSG, provided this is necessary to perform or end the employment relationship.

If your application is not successful, a 6-month retention period shall apply for the aforementioned data starting once the application process is complete, provided longer storage is not required or permissible by law. The data shall be stored where required to meet our legal obligations as per Art. 6(1) lit. c GDPR or to protect our legitimate interests as per Art. 6(1) lit. f GDPR. In this context, our legitimate interest may lie in asserting, exercising or defending against legal claims and the resulting burden of proof in proceedings, for example.

If you have granted us your consent during the application process or in relation thereto, we may also add you to our applicant pool. In that case, we shall store data you disclose during the application process in order to ensure you are considered for future suitable vacancies at Somnitec, if applicable. You can withdraw your consent to this processing by sending an informal notification by email or post to the contact information listed in Sections 1 or 2. The legality of the data processing carried out up to the point of withdrawal remains unaffected by the withdrawal. Your data shall be stored until you withdraw your consent or up to a maximum of 2 years after completion of the application process.

5. Processing of customer data

In order to process your query and conduct our business relationship, we process the following personal data to the extent required to conduct our contractual relationship, fulfil our duties in this regard and to exercise any related rights:

  • Contact information (name, email address, company and job title, if necessary)
  • Content and communication data
  • Contract and invoice data

Your data shall be processed in particular in relation to:

  • Electronic communications by email used to pass on information and maintain business operations
  • Creating a customer account
  • Processing customer orders, deliveries and payments
  • Generating quotes, order confirmations and delivery notes, and processing cash payment for selling goods to customers
  • Registering incoming payments from customers and balancing customer accounts
  • Sending invoices to customers and asserting claims
  • Sending letters to customers to maintain the customer relationship and announce news
  • Processing invoices, notifications, payment reminders and credit notes to monitor incoming payment and receivables from suppliers to cover differences
  • Participant lists for customer events in order to track attendance, creating invoices for customer events and event planning

As a result, collection and processing take place in order to take steps prior to entering into a contract and to perform our contractual relationship on the legal basis of Art. 6(1) lit. b GDPR. Failure to disclose this data can mean that the business processes may be cancelled. Your personal data will only be passed on within the company. Any processing beyond this scope will only take place if you have consented to this as per Art. 6(1) lit. a GDPR or the processing in question is permitted by law.

In order to protect our legitimate interest, we may also contact you from time to time regarding updates on our products or services. Our legitimate interests in this regard lie in maintaining the customer relationship. This processing takes place on the legal basis of Art. 6(1) lit. f GDPR.

In the case that we don’t process your contact information for company-related purposes, we shall store your contact information for a 10-year period after the end of the contractual relationship. Once this period ends, the data collected shall be deleted or blocked if erasure isn’t possible.

Section 4: Measuring website traffic

We use the web analytics service Matomo on our website. Matomo is an open-source solution used to measure traffic on our website based on JavaScript. In order to measure traffic, we solely collect the following information on our website; how often visits occur, whether we have regular visitors/users, which countries they come from and how they behave on the website in terms of its user friendliness.

We also measure traffic anonymously, whereby your IP addressed is truncated to the last digits (2 bytes). As a result, it is not possible to draw any conclusions about your person from the data collected. While Matomo Tag Manager does not use cookies, a cookie is set to make a distinction between users (see Section 5 ‘List of cookies and similar technologies’). Apart from this, no cookies are used. Your data is not passed on to third parties. However, our parent company FERNAO (see Section 6(3)) provides us with Matomo as a service and consequently processes your data on our behalf.

This process takes place on your express consent, given voluntarily as per Art. 6(1) lit. a GDPR. Processing this data primarily helps us make our website more user friendly, improve our reach and therefore offer added value for all parties involved.

You reserve the right to withdraw your consent to this processing or the aforementioned traffic measurement on our website at any time with future effect by clicking on the footer of our website or below on cookie settings and configuring your settings accordingly or updating the corresponding browser settings.


Our website uses tracking pixel technology provided by WiredMinds GmbH ( to analyse user behaviour. This requires processing of the user’s IP address. This processing solely takes place in order to collect company-relevant information like company names, for example. IP addresses belonging to natural persons are not processed further (whitelisting process). IP addresses are likewise not stored in LeadLab. Safeguarding the data protection rights of natural persons is of the utmost importance to us when we process data. Our interest in processing is based on Art. 6(1) lit. f GDPR. The data we collect does not enable us to draw any conclusions about an identifiable person.

WiredMinds GmbH uses this information to generate anonymous user profiles related to user behaviour on our website. Data obtained in the process is not used to personally identify the users of our website.

Anonymised analytics data is only stored as long as it is required to pursue our legitimate interests. Retention periods beyond this duration may be permissible according to statutory provisions in certain cases.

Section 5: Use of cookies

We use cookies on our website. Cookies are small text files that are allocated to the browser you use and saved on your hard drive in a string of characters, which enables the website that sets the cookie to receive certain information. Cookies are not able to run programs or transfer viruses to your computer. As a result, they do not inflict any damage. Their purpose is to make our website as user-friendly as possible.

Cookies may contain data that enables us to recognise the device you use each time you visit our website. Certain cookies may also contain information on specific settings that do not constitute personal data. Cookies cannot be used to directly identify a used.

There are two different types of cookies; session cookies, which are deleted when you close your browser, and persistent cookies, which remain saved after the end of the individual sitting.

Every instance of cookies being used for a not strictly necessary purpose constitutes a data process that requires your express and active consent as per Art. 6(1) lit. a GDPR. Furthermore, we shall only pass on your personal data collected by cookies to third parties if you grant your express consent thereto as per Art. 6 (1) lit. a GDPR.

Clarity analytics tool

Clarity is a tool used to analyse user behaviour, which helps us gain an understanding of how users interact with our website. In addition, clarity collects the following categories of user interactions:

•    Interaction events: Clicks, scrolling, mouse movements, resizing the window, selections, inputs, etc.
•    Diagnostic events: Script and image errors, logs, performance events, etc.
•    Page events: Document sizes, page visibility, page unloading, metrics and page sizes.
•    User-defined events: User-defined variables/events set by the website on the basis of a certain event.

This data collection only takes place if you have granted your express thereto by clicking on ‘Consent’ in our cookie banner. In this case, the data processing takes place on the legal basis of Art. 6(1) lit. a GDPR. You reserve the right to withdraw previously granted consent. You can withdraw your consent at any time with future effect in the footer on our website or as specified above in Section 5 under ‘Cookie settings’.


List of cookies and similar technologies

The following cookies and similar technologies are used on our website:


Cookie name


Retention period


Keeps the Clarity User ID and preferences, unique to that site, on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID.

1 year


Connects multiple page views by a user into a single Clarity session recording.

1 day


Identifies the first time Clarity saw this user on any site using Clarity.

1 year



Indicates whether MUID is transferred to ANID, a cookie used for advertising. Clarity doesn't use ANID and so this is always set to 0.

10 minutes


Indicates whether to refresh MUID.

During session


Identifies unique web browsers visiting Microsoft sites. These cookies are used for advertising, site analytics, and other operational purposes.

1 year


Used in synchronizing the MUID across Microsoft domains.

During session


Service provided by FERNAO (see Section 6(3)) in order to generate detailed statistics about user behaviour on our website. Cookies are used to distinguish between users and link data from several website visits.

1 – 30 months

Matomo Tag Manager (doesn’t use cookies)

Service provided by FERNAO (see Section 6(3)) to manage tags triggered by a specific event that inserts a third-party script or sends data to a third-party service. No cookies are technically set on the user’s client device, however, technical and personal detail such as the user’s IP address are sent from the client to the service provider's server to enable use of the service.

During session

Section 6: Recipients of personal data and international data transfers

1. When and on which grounds are we permitted to disclose your personal data?

We shall only pass on your personal data to third parties and other recipients where permitted according to the pertinent data protection regulations. We require a legal basis to pass on your data, which generally involves the following situations:

•    We are legally required to pass on your information (e.g. to data protection authorities);
•    The disclosure is required for us to perform our contractual duties (e.g. to an affiliate);
•    We need to disclose your data to protect our legitimate interests (e.g. to external lawyers for compliance reasons);
•    You have granted your express consent thereto

We have also appointed certain service providers to process your personal data on our behalf in their capacity as processors (e.g. our website provider and agencies that help us manage the content on our site). These processors are contractually obligated to process your personal data on the sole basis of our contractual agreement and in compliance with instructions we have issued. As processors, our service providers also receive your personal data.

2. Data transfers within/outside Switzerland and the European Economic Area

In principle, your personal data is processed within Switzerland and the European Economic Area (EEA). However, we use services from certain service providers and/or third-party providers (hereinafter referred to as ‘Recipients’), that may not process your personal data within Switzerland or the EEA, but rather in a country not situated in either of these regions (see Section 3 below). When your data is transferred to recipients located outside Switzerland or the EEA, if the Swiss Federal Data Protection and Information Commissioner (FDPIC) or the EU commission has not established an adequate level of data protection in the countries in question (adequacy decision), an adequate level of data protection shall be established for the processing of your personal data through appropriate safeguards (e.g. EU standard contractual clauses).

When your data is transferred to a recipient headquartered outside Switzerland or the EEA, the processing may take place on the basis of specific national laws applicable to the recipient in a country where the same level of protection ensured in Switzerland or the EEA cannot be guaranteed. In particular, this includes transfers of your personal data to recipients located in the U.S. The same degree of protection cannot be guaranteed in the U.S. as the U.S. authorities are granted the right under current U.S. law to view and process the personal data of data subjects transferred from the EEA to the U.S., including data subjects who are not American citizens. This processing may occur without any particular cause or the ability of the data subject to object to unlawful accesses. Accordingly, transfers of data to the U.S. may involve certain risks, concerning the disproportionate surveillance practices of U.S. authorities. In certain circumstances, this may entail that the rights and liberties to which you are entitled under EU law may only be safeguarded to a certain extent, particularly in the U.S.

If we are aware that your personal data shall be transferred into countries such as the U.S. and an adequate level of data protection can therefore not be guaranteed, prior to transferring your data, we shall ensure that either other adequate and legally required protection and security measures are implemented or that we obtain your express consent and you are informed of the associated risk in this Privacy Notice, namely that your data cannot be adequately safeguarded against unlawful access or use.

3. List of recipients of your personal data

Recipients and categories of recipients

Purpose of data transfer/disclosure

Legal basis for data processing

Recipient country/data transfers outside Switzerland or the EEA

FERNAO Networks Holding GmbH (parent company)

Fulfilment of compliance requirements; coordination of marketing measures

-          (Pre-)contractual duty

-          Legitimate interest

-          Legal duty

-          Consent


Neuzeichen AG (marketing agency)

Provider of the site and its content (solely access right – not hosting)

-          Legitimate interest

-          DPA


Ostendis AG I Swiss E-Recruiting

Recruiting solution used by Somnitec

-          (Pre-)contractual duty

-          Legitimate interest

-          Legal duty

-          Consent

-          DPA


Microsoft Clarity

Analyses user activities on the website

-          Consent

-          DPA (incl. SCC)


If applicable, the authorities

Lawful request to meet statutory duties/requirements

-          Legal duty


Legal counsel

Fulfilment of compliance requirements; asserting, exercising and defending against legal claims

-          Legitimate interest

-          Legal duty


Partner (e.g. software manufacturer)

Partner hosts webinars in collaboration with Somnitec during which IT security is discussed (see Section 2).

-          Consent

-          Legitimate interest

EU/EEA/U.S., other countries where applicable depending on the partner’s location


*DPA= Data Processing Agreement
 SCC= EU Standard Contractual Clauses

Section 7: Data subject rights

In accordance with the applicable data protection legislation, as a data subject, you are granted the following rights vis-à-vis the controller with regard to the processing of your personal data:

Revocation of your consent to data processing

Certain data processing is only possible with your express consent. You reserve the right to withdraw previously granted consent at any time. An informal notification by email is sufficient to withdraw your consent. The legality of the data processing carried out up to the point of withdrawal remains unaffected by the withdrawal.

Right to data portability

You have the right to demand that we hand over any data which we process automatically on the basis of your consent or to fulfil a contract to you or to a third party. The respective data shall be transferred in a machine-readable format. If you request the direct transfer of the data to another controller, this will only take place where technically feasible.

Right to information, rectification, to block data and erasure

Within the scope of the applicable statutory provisions, you reserve the right to obtain information about your stored personal data, its origin and recipients and the purpose of the data processing and, if applicable, the right to rectify, block or erase this data. You can contact us at any time at the contact information specified in Section 1 and 2 in this regard and for other questions on the subject of personal data.

Right to lodge a complaint with a supervisory authority

As a data subject, in the event of a breach of data protection regulations, you also reserve the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority in terms of data protection issues is the authority with jurisdiction over the representative.

Right to object to processing

If we process your personal data on the basis of our legitimate interests as per Art. 6 para lit. f GDPR, you are entitled to file an objection to the processing of your personal data, provided this is based on grounds that pertain to your personal situation or due to an objection to direct advertising. In the case of direct advertising, you are granted a general right of revocation that we shall respect without the need for particular grounds.

Section 8: Hyperlinks

Our website contains hyperlinks to websites from other providers. When you click on these hyperlinks, you will be directly forwarded from our website to the website of the other provider. This change is indicated by a new URL, amongst other indications. We do not assume any liability for the confidential handling of your data on these third-party websites as we have no influence on whether these companies comply with data protection provisions. Information on how your personal data is processed by these companies can be found on the respective websites.

Section 9: Data integrity and security mechanisms

Somnitec has implemented extensive technical and organisational measures as part of the provision of this website and its content, which are reviewed on a regular basis and upgraded in light of technical advancement to ensure optimum protection. Among other measures, this includes the use of recognised encryption methods (SSL or TSL) to protect the transfer of confidential content that you send us as the site operator. As a result, data that you transfer on this website cannot be read by third parties. You can check whether a connection is encrypted by the appearance of the character string ‘https://’ and the lock symbol in your browser line.

However, we would like to point out that due to the design of the internet, data protection regulations and the aforementioned security mechanisms may not be observed by other people or institutions over which we do not exercise control. In particular, unencrypted disclosed data – even if sent by email – may be read by third parties. We have no technical influence over this. Responsibility lies with the website visitor to ensure that the data disclosed is protected by encryption or other methods to safeguard against breaches.

We revise and update our Privacy Notice on a regular basis to remain up to date with the valid data protection regulations. We occasionally publish updates on our website. This ensures you can stay up to date at all times.

Last revised: 11/08/2022

Follow us:
LinkedIn Instagram TikTok YouTube