The Compliance Blindspots of Remote Work: PWD, Work Entitlement, and Data Protection

Three compliance risks most remote workers do not know exist—and why your employer can legally fire you for not disclosing them.

The Rules Did Not Move When You Did

Your laptop crosses borders in a backpack, but the regulations that govern what you do with it do not. The moment you open your work email from a cafe in Munich, a different set of laws starts applying to you, your employer, and your data. Most of those rules were written before remote work existed, and their awkward fit with a Slack-based job is what creates the three blindspots in this guide. None of these are theoretical. People have been fined, deported, and dismissed for getting them wrong.

The EU Posted Workers Directive Triggers Faster Than You Think

The Posted Workers Directive (EU 2018/957) applies whenever you provide a service in another EU member state, even briefly. Installing a piece of equipment at a client's site, running a training session, conducting an internal audit, or speaking at a conference can all trigger a notification requirement in the host country. National implementations vary significantly: Germany uses the Worker Posting Act, France has the SIPSI portal, Austria applies its Wage Dumping Act, the Netherlands runs postedworkers.nl, and Switzerland — outside the EU — demands eight days' advance notification through its own system. Missing the filing can lead to fines, being removed from the premises, and downstream issues with your A1 certificate.

Your Tourist Visa Is Not a Work Visa

Work entitlement risk is the plainest and most ignored risk in remote work. In almost every country, a tourist visa or visa-waiver stamp explicitly excludes paid activity — and most immigration authorities interpret "paid activity" to include remote work for a foreign employer. The theory that "nobody will know" is fragile: border officers in Indonesia, Thailand, and several Gulf states now ask remote-work questions on arrival, and deportations of professionals caught working on tourist stamps are well-documented. Penalties can exceed 5,000 euros and may include multi-year entry bans. If your stay has any economic activity attached to it, either use a business visa, a digital nomad visa, or confirm in writing that the country tolerates short remote work on a tourist entry.

GDPR Follows You, Not Your Employer

The EU's General Data Protection Regulation applies whenever personal data is processed from within the EU/EEA — regardless of where the employer is headquartered. If you are a New Yorker working for a US company and you log into your CRM from a Lisbon apartment, your employer is now processing data subject to GDPR. That triggers obligations around lawful basis, security measures, transfer impact assessments, and — if anything goes wrong — potential fines up to four percent of annual global turnover. It is not your job to solve this, but it is your job to make sure your employer knows you are physically in the EU so they can implement the right safeguards. Working quietly from Berlin without telling HR can expose your company to liability you did not sign up to create.

The Schengen 90/180 Rule, Demystified

Disclose Before You Fly, Not After

The single most effective thing you can do to protect both yourself and your employer is to tell HR, in writing, where you plan to work and for how long — before you book flights. A short email saying "I'll be working from Barcelona from the 3rd to the 17th of June" gives your employer the chance to check permanent establishment risk, issue an A1 certificate, flag any PWD requirements, and confirm the data-protection setup. It also creates a paper trail that protects you if anything goes sideways. Many employment contracts now explicitly require this disclosure; failing to give it can be grounds for dismissal on its own, separate from any compliance fallout.

Risk Travels in Both Directions

People think of compliance as something the company worries about and the employee benefits from. Not here. If your unauthorised remote week triggers a tax filing in Austria or a PWD fine in Germany, the financial hit may land on your employer — but the employment consequences land on you. The reverse is also true: employers who ignore your disclosures owe you a duty of care under ISO 31030 and national law. Treat this as a two-way street.

The three compliance blindspots — Posted Workers Directive, work entitlement, and GDPR — catch remote workers who assume "nobody will know." Disclose your plans to HR in writing, verify your visa actually permits paid activity, and count your Schengen days. Protecting your employer is how you protect your job.

Explore Country Guides

See how these topics apply in practice across different countries:

• Moving to Germany
• Moving to Spain
• Moving to the Netherlands
• Moving to France
• Moving to the United Kingdom