Computer charter: practical guide + free template

Introduction

In an increasingly digital working environment, the IT charter has become an essential document for your company, whatever its size. It provides a framework for the use of IT tools, prevents abuses and better protects your sensitive data.

In this article, you'll find a practical information sheet to help you understand your obligations, learn how to draw up a charter adapted to your organization, and access a free example of an IT charter that you can easily customize.

What is an IT charter?

An IT charter is an official document, internal to the company, which sets out the rules for the use of IT tools made available to employees: computers, software, e-mail, Internet, networks, mobile devices, etc.

It specifies what is authorized, what is forbidden, the best practices to follow, and the consequences of non-compliance. It applies to all users of the company's information system (employees, contractors, trainees, etc.).

The charter may be appended to the company's internal regulations or be a separate document, signed on hiring or distributed as part of a safety policy.

Why does a company need an IT charter?

Today, the majority of companies use digital tools, even the smallest ones. The multiplication of usesworking remotely, BYOD, cloud, social networks, etc.) exposes organizations to legal, technical and human risks.

The IT charter is therefore essential to ensure that employees are properly informed and :

Protect the information system against malicious or careless use.
Establish a clear framework for what employees can and cannot do with IT tools.
Limit corporate Accountability in the event of an incident or abuse (data leakage, digital harassment, illegal downloading, etc.).
Comply with regulations, including GDPR and CNIL (National Commission for Information Technology and Civil Liberties)) requirements.

It's a real lever for prevention, safety and compliance.

In fact, the CNIL (National Commission for Information Technology and Civil Liberties) has published official recommendations to help companies frame the use of digital tools and formalize a suitable, GDPR IT charter.

What is the purpose of a company IT charter?

A well-written IT charter has several objectives:

✓ S upervise digital uses: internet browsing, email use, social networks, software...

✓ Secure data and systems: protect access, limit the risk of viruses or hacking.

✓ Empowering users: everyone is a player in the company's cybersecurity.

✓ Set rules of conduct: respect, confidentiality, professional use of tools.

✓ Provide for checks and penalties in the event of non-compliance.

In short, it sets out a clear, shared framework to avoid misunderstandings and reduce grey areas.

What are the risks of not having an IT charter, according to the CNIL (National Commission for Information Technology and Civil Liberties) ?

Not having an IT policy exposes your company to a number of risks:

🛑 Leakage or loss of sensitive dataclients, employees, partners).
🛑 Uncontrolled use of the Internet or email (cyberstalking, defamatory remarks, illegal downloading...).
🛑 Internal disputes or litigation in the event of abuse or misuse.
🛑 Lack of proof in the event of CNIL (National Commission for Information Technology and Civil Liberties) control or legal action.
🛑 Penalties for non-compliance with the GDPR, particularly in the absence of data protection measures.

A well-drafted charter also serves to protect the company legally, by showing that it has informed its employees and laid down precise rules.

Is it compulsory to have an IT charter?

No, your company is not legally obliged to set up an IT charter, unless it contains disciplinary clauses. In this case, it must be incorporated into the company's internal regulations and follow a specific consultation and filing procedure.

However, an IT charter is strongly recommended, especially if :

Your company processes personal data (reference to GDPR).
You want to supervise or control the use of IT tools (Internet browsing, messaging, applications, etc.).
You want to limit your legal Accountability in the event of inappropriate behavior or a security incident.

The CNIL (National Commission for Information Technology and Civil Liberties) strongly recommends that companies formalize the rules governing digital use in a clear IT charter, to ensure transparency for employees and reinforce the organization's overall security.

2. What an effective IT charter should contain

To be useful and legally enforceable, your IT charter must be clearly structured and cover all the issues related to the use of digital technology in your company. Here are the essential elements to include:

1. Structure and essential content of an IT usage policy

The charter must begin by defining its objective: to govern the use of IT tools and personal data made available to employees within a strictly professional framework.

It must also specify its scope of application:

Who is it intended for (employees, trainees, service providers, managers, etc.)?
On which tools does it apply? (computers, smartphones, Internet, email...)
And on which data (internal data, personal data, sensitive documents, etc.)?

2. Rules governing the use of tools and access to IT systems

The charter must clearly distinguish between professional and personal use of the equipment:

The tools provided are intended for professional use by default, which implies that the systems are used in accordance with internal rules."
Personal use may be tolerated to a reasonable extent, provided it does not compromise the security or proper operation of information systems.
Certain uses must be explicitly prohibited: access to illegal content, hate speech, illegal downloads, etc.

It may also provide for access to computer files and systems by the company for security, maintenance or control purposes, in particular via controlled surveillance methods, in compliance with the legal framework.

3. Supervised use: internet, software, professional messaging

The charter must precisely describe authorized and prohibited uses:

Use of e-mail (no abuse or inappropriate use).
Internet browsing (authorized or blocked sites, vigilance against fraudulent sites).
Installation and use of software (restricted to applications validated by the company).
Use of collaborative tools (Teams, Google Drive, etc.).

4. Personal data and cybersecurity: managing the risks associated with their use

It must also include obligations regarding the management of personal data:

Personal data may not be used for private purposes.
Compliance with internal privacy policies.
Strict application of GDPR principles.

And plan concrete cybersecurity measures, ensuring that security rules are strictly applied:

Confidentiality of logins and password management.
Data security and prevention against viruses and phishing attempts.
Reporting anomalies or safety incidents.

5. Confidentiality, monitoring and exceptions

The charter may state that files named "private" or "personal" are protected in principle. However, exceptions may be made in the event of :

Serious risk to safety or continuity of service.
Necessary access to documents for business continuity.
A judicial inquiry or a request from a competent authority.

Any access must comply with strict conditions and be justified.

6. Penalties for non-compliance with the IT charter

The charter must stipulate that sanctions may be imposed in the event of non-compliance, as part of the control measures defined by the company:

Warning or call to order.
Suspension of certain computer accesses.
Disciplinary measures up to and including dismissal for serious misconduct.

7. Integrating the GDPR into the company's digital security policy

It should remind you of your legal obligations with regard to data protection:

Legal basis for processing.
Data retention purposes and duration.
Individual rights (access, rectification, deletion, etc.).

The charter may refer to the company's privacy policy.

8. Absence and departure management

Specify what happens in the event of departure or prolonged absence:

Temporary access to IT tools to ensure continuity of service.
Deletion of professional messaging within a set timeframe.
Return of equipment, passwords and professional files.

9. Intellectual property, business secrecy and ethics

Add a specific section to remind :

Respect for copyright and software licenses.
Protection of know-how, trademarks and strategic data.
Respect for the image rights and privacy of other employees.

10. Maintenance, updating and acceptance

Finally, the charter must specify :

That the company can carry out maintenance operations on IT tools.
That the document can be updated in line with legal, technical or internal management developments.
That each employee must read the charter and formally accept it.

11. Accountability

It is important to remember that each user is responsible for the use he or she makes of the digital tools provided. The charter must therefore include a specific clause on individual Accountability .

Users are responsible for the use they make of IT tools and personal data, and for complying with the rules defined in the charter. This acceptance implies compliance with the rules defined in the document.

For example, an employee who resorts to unauthorized technical manipulations in order to bypass the restrictions of a business software program, or to access data to which he or she is not supposed to have access - even in the context of a vulnerability search - engages his or her Accountability. This type of behavior constitutes a fault which may be sanctioned according to the scale set out in the charter. Thescale of sanctions applied must be known and proportionate.

The rules described in this section come into force as soon as the charter is officially communicated to employees.

3. Establish an IT charter and ensure its application

Drawing up an IT charter is an essential first step, but what really makes it effective is its day-to-day implementation.

A charter must be more than just a formal document filed in an HR file: it must be clearly communicated, regularly updated, and understood by all employees. This is what gives it real impact, and makes it binding in the event of non-compliance.

Here are the key best practices to put in place to ensure the long-term viability of an IT charter:

Ensure that it is properly communicated to employees as soon as they arrive;
Guarantee its binding scope, in particular by signing it or incorporating it into internal documents such as the employment contract;
Ensure regular updates in line with technological, organizational and legal developments;
And finally, support this approach with awareness-raising and training initiatives to ensure that the rules are properly understood.

In this section, we explain how to get your IT charter accepted, signed, maintained and developed, so that it becomes a truly useful, recognized and respected tool in your company.

How do you get employees to accept the charter?

For an IT charter to be effective and respected, it must be clearly communicated to employees. It's not enough to simply draw it up; the employer must also explain it, contextualize it and distribute it in a way that is accessible and available to employees.

Here are some best practices:

Present the charter during team meetings or onboarding sessions for new arrivals.
Explain its objectives (protecting the company, preventing abuse, guaranteeing safety).
Use simple, non-legal language.
Highlight the benefits for employees: protection of personal data, clarity of rules, digital security.

A charter that is understood is a charter that is accepted and favored. At Dipeeo, we deliver documents that are ready for distribution and easy to understand.

Should employees sign the charter?

Yes, we strongly recommend it.

However, the legal value of the IT charter depends in part on how it is communicated and integrated into the company's internal documents. There are two possible scenarios, depending on whether the company has a BSC (Social and Economic Committee) and internal regulations.

Case 1: Company with BSC and internal regulations

In this case, the IT charter can be incorporated into or appended to the company's internal regulations.
Once the internal regulations have been posted and notified in accordance with legal requirements (consultation of the BSC, forwarding to the Labour Inspectorate), the charter becomes enforceable against employees without the need for individual signature.
As an employer, however, it is advisable to communicate the charter clearly to employees, at meetings or via the intranet, to ensure that it is well understood.

Case 2: Company with no BSC and no internal regulations

This case mainly concerns SMB fewer than 50 employees.
It is strongly recommended that all employees sign the charter, as proof that they have read it.
The charter can be :
- Attached to the employment contract,
- Or sent separately, with a signed acknowledgement of receipt, at the time of hiring or implementation.

The signature alone does not give absolute value, but it does reinforce the proof of information and acceptance of the rules.

How do you update an IT charter?

An IT charter must evolve with :

New digital toolse.g instant messaging, working remotely),
Legal developmentse.g: GDPR, cybersecurity),
And new internal uses (BYOD, cloud, etc.).

To update it :

Identify the changes to be integrated (technical, legal or organizational),
Modify the sections concerned with precision,
Submit new version for approval (legal, HR, management),
Clearly inform employees of the update.

At Dipeeo, we can also update your existing IT charter, with complete content updating and legal validation.

How often should the IT charter be revised?

There is no legal requirement for frequency, but as an employer it is recommended to review it every 12 to 24 months, or whenever there are significant changes:

Adoption of a new software or system,
Setting up working remotely,
Changes to the legal frameworkCNIL (National Commission for Information Technology and Civil Liberties), GDPR),
Safety incidents or internal audits.

A regular review shows that the company takes cybersecurity and compliance seriously.

4. Free download of an IT charter template

To help you save time and make sure you don't forget anything, we've put together an article and a complete template for you to download free of charge.

It's a global, professional charter designed to cover all digital uses in business: workstations, messaging, internet, security, GDPR, etc.

This document can be used as is or adapted to your organization, whatever its size.

Download a free sample IT charter

Conclusion: A clear IT charter, a strategic asset for your company

Implementing an IT charter is more than just a formality: it's a strategic approach to controlling digital usage, protecting sensitive data, limiting legal risks and reinforcing cybersecurity.

To be truly effective, the charter must be clear, adapted to the company's reality, and evolving. Its value lies as much in its content as in the way it is disseminated, understood by employees and regularly updated.

By integrating the charter into an overall approach to IT governance and awareness-raising, you set a clear framework, promote team empowerment, and show that your company takes digital security seriously.

FAQ: We answer your most frequently asked questions

Is the IT charter legally valid?

Yes, as long as it respects certain rules.

The IT charter can be legally binding if it is :

Communicated to employees (by distribution, posting, individual delivery, etc.),
Incorporated into internal regulations (if they contain disciplinary clauses),
Or signed individually by employees (particularly inVSB).

It must also comply with employment law, the GDPRand must not disproportionately infringe individual freedoms (e.g. in terms of surveillance).

A well-written charter can be used in the event of litigation or disciplinary proceedings as proof that the employee was aware of the rules in force.

Who should draw up the IT charter?

Drawing up an IT charter requires a clear understanding of the technical, legal and human issues at stake within the company. In theory, it can be drafted internally by the employer, with the contribution of :

Management (strategic vision),
The IT department (usage and security),
HR department (employee relations),
And ideally, a legal expert (legal framework).

In practice, however, many companies lack the time or expertise to draw it up properly.

At Dipeeo, we write the entire IT charter for our clients, from A to Z.
We produce a clear document, adapted to your organization, legally compliant and directly applicable.

Should the charter be proofread by a lawyer?

Yes, it's essential.

An IT charter must comply with the French Labour Code, the GDPR and the recommendations of the CNIL (National Commission for Information Technology and Civil Liberties). A simple error in wording can render it inapplicable, or even illegal.

VSB an SMB VSB also need an IT charter?

Yes, absolutely.

Even in a small structure, the risks associated with digital usage are very real: data loss, misuse, non-compliance with GDPR, or even cyberattacks. An IT charter makes it possible to set out a clear framework, empower employees, and protect the company in the event of a problem.

Unlike large companies,SMB alwaysSMB legal or IT departments. A well-drafted charter appended to the employment contract is therefore a simple, accessible, and effective tool for enhancing security and compliance without complexity.

Explore our features in detail

Discover other sectors

Discover GDPR news

Join our team