When forming an employment relationship, in addition to the familiar essentials that enterprise and employee typically considers – such as position, job description, salary and welfare benefits, and labour discipline, confidentiality of information has increasingly become a key issue, now often addressed in detail within agreements between employer and employee. Under the current legal framework, confidentiality of information is no longer a unilateral obligation of  employee, but also an obligation of employer, requiring employer to comply with responsibilities relating to the protection of the employee’s personal information. This article analyses confidentiality obligations from both sides of the employment relationship, with a view to providing enterprises with further information for establishing procedures and policies on information confidentiality.

1. Employee’s obligation on confidentiality of information

During the course of their employment at an enterprise, the employee may access or be provided with valuable information that has not been disclosed to the public in order to perform their assigned work. Such information is typically important, affects business operations, and may create a competitive advantage for the enterprise. Accordingly, confidentiality of information has become an essential requirement imposed by enterprises on the employee. The importance of the obligation to maintain confidentiality of information has also been emphasized in the Labour Code. Under the Labour Code and its implementing instruments, the employer and the employee may enter into written agreements, or include in labour contract, detailed provisions on confidentiality of information.

1.1. Identification of confidential information

Before imposing relevant responsibilities on employee, confidential information should be identified in a manner that ensures employee understands and comply with their obligations. By reference to the Labour Code, confidential information is covered through the two terms ‘trade secrets’ and ‘technological know-how’; however, the Labour Code does not provide a more specific definition. From an intellectual property perspective, the Law on Intellectual Property provides that “a trade secret means information obtained from financial or intellectual investment activities, which has not been disclosed and is capable of being used in business”[1]. For public companies, inside information denotes information that the employee are not permitted to disclose. It is defined as “information relating to a public company that has not been published and, if published, would be likely to have material effect on the price of the securities of such company”[2].

In practice, in confidentiality agreements, enterprises tend to define trade secrets and technological know-how as broadly as possible, namely to include all information, data, and documents that have not been disclosed or made public by the employer and that are protected by necessary measures, such as information on customers and suppliers, human resources information, business data, accounting, marketing, advertising, research results, technical know-how, initiatives, improvements, development and investment plans, etc. Such confidential information further encompasses information developed by the employee, whether independently or jointly with other employees of the company, during the course of his or her employment and through the use of the company’s resources, because ownership of such information belongs to the enterprise in which the employee is engaged. Specifically, under the Law on Intellectual Property, an organization that assigns an author who works for that organization to create a work shall be the owner of the economic rights in the work and shall possess the right to publish the work, unless otherwise agreed by the parties[3]. Accordingly, although the employee is the person who directly creates the work, the employer is the owner of the economic rights, while the employee retains the moral rights, including the rights to title the work, to have his or her name attached to the work, to protect the integrity of the work, and to prevent others from modifying or mutilating the work in any form[4]. Other organizations and individuals, when using one, several, or all economic rights, including the rights to reproduce and distribute to the public the original or copies of the work in tangible form, must obtain permission from the owner of the economic rights[5]. Therefore, a company may prohibit the disclosure, copying, publication, or distribution to any third party of reports, work products, initiatives, ideas, documents, designs, processes, technical know-how, or other intellectual products created by an employee during his or her employment with the company, unless the company has given its prior written consent.

1.2. Employee’s responsibilities for confidentiality of information

Current law does not specifically regulate employee’s responsibilities regarding confidentiality of information, but permits the parties to agree on such matters. Normally, in a confidentiality agreement, the employee must undertake commitments relating to the use of confidential information, including:

a. Purpose of use: Confidential information may only be used for the purpose of performing assigned work and for the benefit of the company, and may not be used for the personal benefit of the employee or for the benefit of any third party;

b. Data sharing: Confidential information must not be disclosed, provided, published, or disseminated in any form to any person, except where disclosure is mandatory at the request of a competent State authority or where the company has given written approval;

c. Data storage: Records and documents containing confidential information must not be copied, stored, or retained outside the company’s premises or on personal devices or accounts; and

d. Data deletion and destruction: Upon termination of the labour contract or at the request of the employer, the employee must return or delete and destroy documents and media containing confidential information.

In addition, subject to the employer’s requirement and the degree of confidentiality of the information, the employer may impose additional responsibilities on the employee, such as not exchanging, sharing, or disclosing confidential information with other personnel within the company except where disclosure is necessary for the performance of assigned duty, as well as promptly notifying and cooperating with the company in addressing any unauthorized access, unauthorized disclosure, leakage, or unauthorized use of confidential information.

The term of confidentiality may be maintained throughout the life of the labour contract and may survive a period of time after termination of the labour contract. This should also be clearly stipulated in the confidentiality agreement between the employee and the employer to ensure enforceability and binding effect between the parties.

1.3. Mechanism for handling violations

Where an employee breaches the obligation to protect trade secrets or technological secrets, such employee may be dismissed – it is the most severe disciplinary measure under the Labour Code. However, in order to impose dismissal as a disciplinary measure, the enterprise must also comply with the strict disciplinary procedures prescribed by the Labour Code.

In addition to being subject to labour disciplinary liability, the employee must also compensate the employer in accordance with the parties’ agreement. As to the procedure for handling compensation, the enterprise should follow the guidance below[6]:

a. If the employee’s violation is detected during the term of the labour contract, such violation shall be addressed in accordance with the order and procedures governing compensation for damage as prescribed by the Labour Code. Accordingly, the handling of compensation for damage shall comprise the following principal steps: the employee prepares a written report on the incident; the parties hold a meeting to handle compensation for damage with the participation of the employee’s representative organization of which the employee is a member; and the employer issues a decision on compensation for damage. The handling of compensation for damage must be carried out within six months from the date on which the employee committed the violation[7].

b. If the employee’s violation is detected after termination of the labour contract, the violation shall be addressed in accordance with civil law and other relevant laws. Accordingly, compensation shall be made on the principle of full compensation for the actual damage caused by the employee, unless otherwise agreed by the parties. The burden of proving actual damage lies with the employer where the employer requests that the employee compensate for damage caused by the employee’s violation in relation to the executed confidentiality agreement.

1.4. Documents and agreements to be established to protect employer’s confidential information

For the purpose of ensuring the security of confidential information, the employer and the employee may enter into the following agreements:

a. Confidentiality agreement: The confidentiality agreement should include key contents such as (i) a list of trade secrets and technological secrets, (ii) the scope of use, (iii) the period of protection, (iv) the method of protection, (v) the rights and responsibilities of each party, and (vi) compensation in the event of breach[8].

b. Non-compete agreement: Although a confidentiality agreement expressly stipulates the employee’s obligation not to disclose confidential information, its effective implementation depends upon the employee’s cooperation and compliance. In addition, in practice, detecting a violation by an employee with clear and admissible evidence is often difficult. Therefore, a non-compete agreement becomes a more stringent binding instrument, serve as an early preventive function, and facilitate the identification of violations. Accordingly, the employee is prohibited from engaging in employment with a competitor, as such employment may result in disclosure of the company’s trade secrets or technological know-now, thereby directly impairing the company’s business operations.

c. Internal labour regulations: Protection of assets, trade secrets and technological know-how is one of the compulsory contents of internal labour regulations. The internal regulations should specify the list of technological know-how and trade secrets; the responsibilities and measures applied to protect assets and secrets; and acts infringing trade secrets and technological know-how[9]. In addition, clear provisions in the internal regulations serve as a basis for conducting labour disciplinary action against an employee in the event of violation. Under the law, internal labour regulations must be registered with the competent State authority.

2. Employer’s obligations to maintain confidentiality of information

For the purpose of entering into labour contracts and managing labour, the employer may require the employee to provide personal information such as full name, date of birth, gender, place of residence, education level, occupational skills, health status, and other matters directly related to the formation of the labour contract; and the employee is responsible for providing such information truthfully and fully[10]. This is a normal activity in any enterprise. However, under the Law on Personal Data Protection, the collection, transfer, storage, and processing of personal data in general, and the employee’s personal data in particular, must comply with the law. This gives rise to corresponding responsibilities of the employer in using employee’s personal data, including the responsibility to keep employee’s personal information confidential, which under the Civil Code, parties to a contract may not disclose information on personal secrets, family secrets, or private life that they come to know during the establishment and performance of the contract, except as otherwise agreed[11].

2.1. Identification of employee’s personal data

Identifying which information constitutes employee’s personal data helps the employer proactively determines an appropriate scope of information collection in accordance with the purposes of use and adopt suitable protection measures in compliance with legal requirements. Under the Law on Personal Data Protection, personal data means data that identifies or helps identify a specific individual, including (i) basic personal data and (ii) sensitive personal data[12]. Basic personal data includes information reflecting identity, background, and social relationships, such as full name, date of birth, gender, place of birth, registered permanent residence, registered temporary residence, nationality, telephone number, personal identification number, marital status, account number, and information on family relationships.[13] Sensitive personal data includes information associated with an individual’s right to privacy which, if infringed, would directly affect the lawful rights and interests of the relevant agency, organization, or individual, such as health status, political opinions, religion, beliefs, data revealing crimes or legal violations, sexual orientation, an individual’s location, images of citizen identification cards, login information and passwords for an individual’s electronic identification account, and etc.[14].

2.2. Employer’s responsibilities for protecting the employee’s personal data

Under the Law on Personal Data Protection and its implementing instruments, the responsibility of a data controller to protect personal data is not limited to an obligation not to disclose, share, or unlawfully transfer personal information. These obligations are broader and more comprehensive: an enterprise’s responsibilities arise at the point of collection of the employee’s personal data, requiring that such collection is lawful, and continue until the deletion or destruction of the data so as to terminate its existence within the employer’s system. Accordingly, the duty to maintain the confidentiality of the employee’s personal information does not constitute an isolated responsibility, but rather forms an integral component of continuous chain of responsibilities for the protection of the employee’s personal data as described below.

a. Collection of personal data

The consent of the personal data subject is a mandatory requirement when collecting and processing personal data. Accordingly, the employer must collect the employee’s consent by a clear and verifiable method, on the basis that the employee has been fully provided with information on (i) the types of personal data processed, (ii) the purposes of personal data processing, (iii) the personal data controller, and (iv) the rights and obligations of the employee as the personal data subject[15]. These are also the contents that should be included  in agreements on the protection and processing of employee’s personal data. It should be noted that, in the event of a dispute, the burden of proving the personal data subject’s consent lies with the employer, namely the personal data controller and processor[16].

In addition, as personal data subjects, the employee has the following rights:

• To withdraw consent to the processing of his or her personal data or request restriction of the processing of personal data when there are doubts regarding the scope or purpose of processing or the accuracy of the personal data. To request to withdraw consent or to restrict personal data processing shall be made in accordance with the law and the agreement between the parties.
• To self-correct certain types of personal data as agreed with the employer, or to request the employer to correct such personal data.

b. Transfer of personal data

In practice, the transfer and sharing of personal data may take place among companies within the same group, among departments within the same company, or in the case of transfer to a third party for personal data processing. Personal data protection law imposes requirements for each case of transfer, including:

• Where personal data is transferred to a third party for processing, among others, the enterprise must establish an agreement with such third party on the data transfer, including contents on the purpose of transfer, the types of personal data transferred, the period of personal data processing, deletion and destruction of personal data, responsibilities for protecting personal data during the transfer process, and responsibilities for exercising the rights of personal data subjects, among other matters.
• Where personal data is shared among departments within the same agency or organization for the purpose of processing personal data in accordance with the established processing purpose, the enterprise must develop a procedure to control the sharing and use of personal data in compliance with the law, and must adopt measures to prevent internal personnel of the agency or organization from unlawfully sharing personal data with third parties. To implement this, the enterprise may develop internal personal data protection regulations, thereby decentralizing access rights to specific types of personal data for each individual and department and specifying the responsibilities of individuals and departments in maintaining the confidentiality of personal data.

For international companies, if personal data is transferred outside the territory of Vietnam for cross-border human resources management in accordance with labour rules, regulations, and collective bargaining agreements, under the law, such companies are not required to prepare a cross-border personal data transfer impact assessment dossier[17]. For other cross-border transfer activities, the employer must prepare a cross-border personal data transfer impact assessment dossier and submit it to the competent State authority for review. The dossier must contain all contents required by law[18].

c. Deletion and destruction of personal data

The employer must delete and destroy the employee’s personal data upon termination of the labour contract, unless otherwise agreed. This is a provision of current law and is also a worthy note when developing an agreement on personal data protection with the employee. In particular, if the company needs to retain the employee’s personal data for a certain period even after termination of the labour contract for purposes such as resolving labour benefits, performing obligations to the State, or resolving disputes between the parties, the company should clearly stipulate an appropriate data retention period after the labour contract ends, in line with the company’s purposes of use.

In addition, an employee, as a data subject, may request deletion or destruction of his or her personal data, provided that the employee accepts the risks and damage arising from such deletion or destruction and complies with the principles prescribed by law. The employer must delete or destroy the personal data, or request the personal data processor or third party to delete or destroy the employee’s personal data. Deletion or destruction of personal data may be refused only in very limited cases prescribed by law, including to address an emergency or a threat to national security, or to serve State management activities. The enterprise may not intentionally and unlawfully restore personal data that has been deleted or destroyed.

2.3. Mechanism for handling violations

The employer may face monetary fines and additional sanctions if they violate regulations on the protection of personal data in general and the employee’s personal data in particular. At present, the Government is issuing a draft decree detailing the handling of violations in the field of personal data protection (the “Draft Decree”). Under the Draft Decree, where the collection or processing of personal data is not conducted within a clear and specific scope and purpose, or where personal data does not ensure accuracy and is not corrected, updated, or supplemented when necessary, or where personal data is stored beyond a period appropriate to the purpose of processing, the employer may be fined up to VND 140 million; in addition, it may be compelled to delete and destroy the personal data to the extent that it cannot be restored, to return or surrender illegal gains obtained from the violation, and to publicly apologize to the personal data subject. For the act of failing to develop clear procedures, processes, and forms for exercising the rights of personal data subjects and for specifying the responsibilities of relevant departments, the employer, as the personal data controller and processor, may be fined up to VND 100 million. If personal data is processed without the consent of the personal data subject, or if consent is not expressed by a clear and specific method, a fine of up to VND 140 million may be imposed, together with a compulsory measure to delete and destroy the personal data to the extent that it cannot be restored and to issue a public apology through mass media for such act. In general, the sanctions are very strict, and the employer should therefore pay close attention to ensuring compliance.

2.4. Documents and agreements to be established to protect employee’ personal data

To specify the responsibilities of relevant parties and to document processes and methods of implementation so as to ensure consistency throughout the personal data processing process, the employer should develop the following documents and agreements:

a. Personal data processing agreement: This agreement may take the form of a standalone agreement or a clause in the labour contract, setting out contents on (i) the types of personal data processed, (ii) the purposes of personal data processing, (iii) the personal data controller, (iv) the rights and obligations of the employee as the personal data subject, including the rights to request correction, to request provision of information, and to request deletion or destruction of personal data, and (v) the rights and obligations of the employer, including the right to transfer personal data to companies within the same group or to third parties for personal data processing, and the right to retain personal data and the retention period. This document may also be used to evidence the employee’s consent to the employer’s processing of personal data.

b. Internal policies, procedures, regulations, and forms on personal data processing: The processing of employee’s personal data may be undertaken by various individuals and departments within the company. Therefore, it is necessary to develop an internal procedure to ensure common and consistent implementation, based on decentralizing access rights to different types of employee’s personal data, specifying the responsibilities of each department in protecting personal data, and setting out the process for handling employee’s requests relating to his or her personal data.

c. Agreements with third parties: Where the employee’s personal data is transferred to a third party for processing, the employer must have an agreement on the transfer of personal data with such third party, containing the key contents set out in Section 2.2(b).

[1] Article 4.23 of the Law on Intellectual Property.

[2] Article 4.44 of the Law on Securities.

[3] Article 39 of the Law on Intellectual Property.

[4] Article 19 of the Law on Intellectual Property.

[5] Articles 19, 20 and 39 of the Law on Intellectual Property.

[6] Article 4.3 of Circular No. 10/2020/TT-BLDTBXH of the Ministry of labor, War invalids and Social affairs dated 12 November 2020 elaborating and guiding certain articles of the Labour Code concerning employment contracts, collective bargaining council and jobs with hazards to reproductive function and children raising (“Circular 10”).

[7] Articles 71 and 72 of Decree No 145/2020/ND-CP of the Government dated 14 December 2020 elaboration of some articles of the Labour Code on working conditions and labor relations (“Decree 145”).

[8] Article 21.2 of the Labour Code and Article 4 of Circular 10.

[9] Article 69 of Decree 145.

[10] Article 16 of the Labour Code.

[11] Article 38 of the Civil Code.

[12] Article 2.1 of the Law on Personal Data Protection.

[13] Article 3 of Decree No. 356/2025/ND-CP of the Government dated 31 December 2025 eloborating on certain articles and implementation measures of the Law on Personal Data Protection (“Decree 356”).

[14] Article 4 of Decree 356.

[15] Article 9 of the Law on Personal Data Protection.

[16] Article 6.2 of Decree 356.

[17] Article 17.3(d) of Decree 356.

[18] Article 18 of Decree 356.

Disclaimer: This article has been prepared by PTN Legal Limited Liability Law Company (‘PTN Legal‘) for the sole purpose of providing reference information to readers. PTN Legal makes no representation or warranty as to the accuracy or completeness of this information. The contents of this article may be changed, amended, or updated without prior notice. PTN Legal assumes no responsibility for any errors or omissions in this article, or for any damage arising from the use of this article in any circumstances.

Article prepared by Ms. Pham Thi Hai Yen, Associate.