Home | About | Contact
← Back

monday Workform GDPR concerns

Dear Users, I was deeply alarmed by an issue I encountered this week with Monday.com’s Workforms. I rely heavily on Workforms to gather consolidated — and often highly sensitive — information such as expense reports, benefit requests, and employee performance reviews (both mid-year and end-of-year). To my surprise, despite applying restrictions using the “People” column on my end-of-year review form, I discovered a serious flaw: when someone clicks Form → Results, they are able to see all responses and comments from every respondent — including other teams’ entries containing confidential data. In my case, employees completed their mid-year review, and everything appeared correctly restricted on the board. However, once “Results” is opened, any user can view responses from anyone else, including sensitive information such as salary requests and personal details. This raises an obvious question: How can this be GDPR-compliant? Allowing employees to access private, identifiable data from colleagues without authorization appears to be a major data protection breach. I consulted two independent Monday consultants, both of whom confirmed this behavior is highly irregular and likely a serious violation of data security best practices. Yet, when I reached out to Monday.com support, I was told this is “normal” behavior, cannot be disabled, and that the only option is to use a workaround.

user avatar

Answers

  • user avatar
    Participating Frequently· 2 years ago

    Is the board set as private/main/shareable? And are those that can ‘see’ the results members of the board?

  • user avatar
    AuthorMember· 1 year ago

    The board is ‘‘main’’ The permission was set to only allow view the line that was created or assigned to an user. For example I only see my HR review or the one from my employee, but I dont see the one from other collegues. The board reacts that way. I am no able to see anything else. However, when I go on ‘‘forms’’ en ‘‘results’’ I am able to see EVERYTHING comments, grading, content of columns (and all other employee too)

  • user avatar
    New Contributor· 8 months ago

    Very Strange and indeed does not seem “normal” to me. so basically “assigned to an user” permission is working of Board but not for the form Submissions of course they are saving forms in 2 places within board and other in Response tab but they forget to follow Permission rule over there.

  • user avatar
    New Contributor· 8 months ago

    Regarding GDPR, Monday.com is listed as the “data processor”. The individual users of Monday.com are the “data controllers”. The burden of protecting confidential or sensitive information is on us, the users. As for protecting confidential or sensitive information, you can restrict your board member list and customize permissions; however, the best approach is to “hide” your confidential or sensitive information behind a separate workspace. Use one workspace and board to house your forms and collect information but have that information immediately moved to a separate workspace and board(s) upon collection. I know that this approach is a workaround, but it has proven to be the most effective approach I can find without overhauling the look/feel of your Monday.com workspace or integrating other applications.