I am shocked by what happened this week with Monday.com’s Workforms. I use Workforms extensively to collect consolidated — and often sensitive — data such as expense reports, benefit requests, and performance reviews (mid-year and end-of-year).
To my surprise, despite setting restrictions using the “People” column for my end-of-year review form, I discovered that when someone clicks Form → Results, they can see all responses and comments from every respondent — including those from other teams and containing highly confidential information.
In my case, employees completed their mid-year review. Everything appeared correct on the board, but as soon as you click “Results,” ANY user can view responses from anyone, including salary requests and other personal data.
How is this GDPR-compliant? This means employees can see private, identifiable data from their colleagues without authorization.
I consulted two monday consultants, both of whom confirmed this is highly irregular and likely a serious data protection breach. However, when I contacted Monday.com support, they told me this behavior is “normal,” cannot be disabled, and that I could only use a workaround.
If this is indeed the intended design, it raises serious concerns about trust in Monday.com as a platform for handling sensitive data.
The board is ‘‘main’’ The permission was set to only allow view the line that was created or assigned to an user. For example I only see my HR review or the one from my employee, but I dont see the one from other collegues. The board reacts that way. I am no able to see anything else. However, when I go on ‘‘forms’’ en ‘‘results’’ I am able to see EVERYTHING comments, grading, content of columns (and all other employee too)
so basically “assigned to an user” permission is working of Board but not for the form Submissions of course they are saving forms in 2 places within board and other in Response tab but they forget to follow Permission rule over there.
Exactly seems crazy to me. The board is working just fine but the permissions are not replicated on the ‘‘RESULTS’’ part which can me extremely sensitive as it is just non column sum or numbers but all the text comment part complety. So in my case all the employees were able to see the HR review of everyone.
I’m not trying to sell anything here, but I’ve built an app called OnlyForm that can help solve this. I’m currently going through the review process to host it on the monday.com code platform, which will make it fully GDPR compliant.
With it, employees wouldn’t be able to see each other’s data something that definitely seems important in your case. If monday.com considers the current behavior “normal,” it might mean there’s not enough push internally to change it. I’d still recommend creating a formal feature request, though, so there’s more visibility on the issue.
Regarding GDPR, Monday.com is listed as the “data processor”. The individual users of Monday.com are the “data controllers”. The burden of protecting confidential or sensitive information is on us, the users. As for protecting confidential or sensitive information, you can restrict your board member list and customize permissions; however, the best approach is to “hide” your confidential or sensitive information behind a separate workspace. Use one workspace and board to house your forms and collect information but have that information immediately moved to a separate workspace and board(s) upon collection. I know that this approach is a workaround, but it has proven to be the most effective approach I can find without overhauling the look/feel of your Monday.com workspace or integrating other applications.
I don’t agree. If the permissions are set at the board level, why wouldn’t they be replicated on the form results? Otherwise, everyone would be able to see the answers even though the permissions were set correctly, for me Monday worforms have a major issue here.
Wow, that’s a really concerning discovery. Thanks for sharing the details so clearly.
If what you described is indeed the intended “normal” behavior, then it definitely raises red flags for GDPR and general data privacy. Sensitive HR information like salary or reviews should never be accessible to other employees unless explicitly permitted.
I’d strongly recommend:
Escalating this in writing to Monday.com support and asking for an official GDPR compliance statement.
Using private boards or restricting access as a temporary workaround until they clarify.
Documenting everything (screenshots, consultant confirmations, support replies) in case this needs to be raised to your company’s Data Protection Officer (DPO) or even regulators.
Hopefully, Monday takes this feedback seriously — because for many organizations this could be a dealbreaker.
Thank you, Karl. I had the same reaction and honestly thought this was a bug. I became even more concerned when the response from Monday support was only:
“Although there currently isn’t an option to toggle this off for users (response view), I’m happy to share feedback with our internal product team to provide more functionality to prevent unnecessary access, as this is a totally valid concern and need for your team!”
They also said:
“That said, I am going to connect you with our security/legal/privacy team, as you mentioned GDPR compliance in your community post. We understand the importance of this, so they will be able to provide more context behind this or advise on any necessary next steps.”
But it’s been a week now, and still nothing. Trusting the permissions settings is critical for us, and yes, I have documentation. I just don’t understand how Monday can allow this kind of behavior, which completely contradicts the board-level permissions.
The issue for this case is that it cannot be anonymous because its mid-year HR review. Other issue is that the comments (text column) are also visible meaning anyone can see all the wording/names/situations so people are identifiable.
You’re absolutely right to be concerned, if Workforms results are visible like that, it’s a real GDPR risk. Best step is to raise it directly with Monday.com’s Data Protection Officer and document what you’ve found. In the meantime, tighter board/workspace permissions might help as a workaround.
