Skip to content
Lukk
Logg inn
Søk
en
no
Purchase now
Contact us
en
no
Purchase now
Contact us
Services
Background check
Digital reference check
Prices
Advisory
Human risk services
Emergency services
Security services
Tools
Jig is the tool that facilitates secure employment by gathering Semac's services in one place. Read more about Jig here.
Jig BW

Privacy policy

TABLE OF CONTENTS
loading...

Our privacy policy

Last updated: 10.10.25

Semac provides services within digital reference checks, background checks and advisory services. We process personal data in accordance with the Personal Data Act (2018) / GDPR (Regulation (EU) 2016/679). To deliver these services in a secure and lawful manner, we process personal data in the role of data controller or data processor. This statement describes how we collect, use and protect data, and which rights you have as a data subject.

Who does this apply to?

  • Candidates / data subjects: We conduct background checks on behalf of our customers, who are the data controllers. In this role, our customer is the data controller, and Semac acts as the data processor on their behalf.
  • Customers: Semac is the data controller for customer data.
  • Visitors to our website: Semac is the data controller for information collected through our website.

 

Which data do we process?

  • Candidates
    - Identity information (name, address, phone number, date of birth)
    - Education and work experience (CV)
    - Certificates, diplomas and public records
    - References provided by the candidate
    - Any information from sanctions lists, police certificates or credit checks when required or permitted under applicable law
  • Customers
    - Contact information and login details
    - Billing and payment history
    - Customer service and contractual communication
  • Visitors to our website:
    - IP address, device and browser
    - Usage patterns (page views, clicks)
    - Cookies and analytics tools

Purpose and legal basis

  • Candidates: Semac conducts background checks in recruitment processes on instructions from employers (our customers). The legal basis is primarily legitimate interest and/or legal requirements.
  • Customers: Processing takes place based on contractual necessity and legitimate interest for managing and maintaining customer relationships.
  • Visitors to our website:  Processing is based on consent (e.g. cookies/newsletters) or legitimate interest for website operation and security, and for improving services and marketing (consent via the cookie banner).

Sharing of information

We share personal data only when necessary to deliver our services or comply with legal obligations. This may include:

  • Employer: We share relevant information with the employer as part of the background check.
  • Authorities: We transfer data to public authorities when required by law.
  • Subcontractors: We may use subcontractors who assist with technical or administrative services. They are contractually obligated to follow our instructions and GDPR.
  • Third countries: When transferring data outside the EEA, we use EU Standard Contractual Clauses and ensure an equivalent level of protection, including security measures such as encryption where relevant.

 

Storage and deletion

For background checks, all data is automatically deleted after the retention period agreed with each customer. The minimum storage time is 3 months and the maximum is 24 months.

  • Customer and contract information is stored for as long as the customer relationship lasts and in accordance with legal requirements.
  • Website data is stored according to the consent provided via the cookie banner.

 

Security and preparedness

  • Encryption and access control
  • Regular security audits
  • Preparedness plans for incident handling
  • Notification to employer and the Data Protection Authority (DPA) in case of breaches
  • Risk assessments and DPIAs for sensitive processing

Your rights  

You have rights regarding your personal data processed by Semac or on behalf of your employer:

  • Access: You may request information about the data we process about you, the purposes, retention time and who it is shared with.
  • Rectification: You may request correction of inaccurate or incomplete information.
  • Deletion (“right to be forgotten”): You may request deletion of data when legal conditions are met, unless we have lawful grounds to retain it (e.g. legal obligations or contractual necessity).
  • Restriction: You may request temporary restriction of processing, for example during a complaint process.
  • Data portability: You may request personal data in a structured, commonly used and machine-readable format, or have it transferred directly to another data controller where technically feasible.
  • Object to processing: You may object to processing based on legitimate interest or to direct marketing.

How to exercise your rights:

  • For background checks (where we are the data processor), you must contact the employer who ordered the service.
  • Contact us at post@semac.no for information we process as the data controller.
  • Complaint to the Data Protection Authority: You have the right to lodge a complaint with the Norwegian Data Protection Authority if you believe we are not processing your data in accordance with GDPR: www.datatilsynet.no.

Is your personal data safe with Semac?

To protect personal data, we must take a comprehensive approach to information security. Semac therefore works in several ways to protect your rights and your information:

  • Employees: we work continuously to strengthen knowledge, attitudes and awareness to reduce human vulnerabilities. All Semac employees are bound by confidentiality.
  • Technology: we work to ensure that systems are robust against external cyber threats and to reduce vulnerabilities arising from third-party interaction and employee system use.
  • Organisation: we ensure accountability is assigned, that risk management is embedded in Semac’s operations and that routines and guidelines for secure information management are developed.

Third-party tools

Semac uses certain third-party tools for operations, analytics and communication. All providers are contractually bound to GDPR and process data only according to our instructions.

  • Analytics and traffic
    Google Analytics: Measures user behaviour on websites to improve services.
  • Customer service and marketing
    HubSpot: Management of customer information and communication, including marketing activities.
  • Cloud and hosting
    Heroku, Amazon Web Services and Azure: Hosting and operation of the platform and related services.

All third-party tools are selected with regard to security and privacy, and we ensure a level of protection equivalent to that within Semac, including encryption and access control where relevant.

 

Children’s privacy

At Semac, we take children’s privacy seriously. Our services are primarily directed at adults, but we are committed to protecting children and young people as well. If you are under 18, we recommend speaking with a parent or guardian before sharing personal information with us. This ensures that your data is handled safely and responsibly.
 

Privacy breaches

In case of a breach or suspected breach of personal data, send a notification to post@semac.no with the subject “GDPR breach” and mark it as “High importance”.

Contact person at Semac:

Name: Mette Reitan, Quality & Compliance Manager
Email address: Mette Reitan  
Phone: +47 922 60 160


Applicable laws and privacy practices may change over time. Please review our privacy rules regularly to ensure you are satisfied with any updates. For the sake of your privacy, please take care with the information you share with us via email.