The Rules Did Not Move When You Did
Your laptop crosses borders in a backpack, but the regulations that govern what you do with it do not. The moment you open your work email from a cafe in Munich, a different set of laws starts applying to you, your employer, and your data. Most of those rules were written before remote work existed, and their awkward fit with a Slack-based job is what creates the three blindspots in this guide. None of these are theoretical. People have been fined, deported, and dismissed for getting them wrong.
The EU Posted Workers Directive Triggers Faster Than You Think
The Posted Workers Directive (EU 2018/957) applies whenever you provide a service in another EU member state, even briefly. Installing a piece of equipment at a client's site, running a training session, conducting an internal audit, or speaking at a conference can all trigger a notification requirement in the host country. National implementations vary significantly: Germany uses the Worker Posting Act, France has the SIPSI portal, Austria applies its Wage Dumping Act, the Netherlands runs postedworkers.nl, and Switzerland — outside the EU — demands eight days' advance notification through its own system. Missing the filing can lead to fines, being removed from the premises, and downstream issues with your A1 certificate.
Your Tourist Visa Is Not a Work Visa
Work entitlement risk is the plainest and most ignored risk in remote work. In almost every country, a tourist visa or visa-waiver stamp explicitly excludes paid activity — and most immigration authorities interpret "paid activity" to include remote work for a foreign employer. The theory that "nobody will know" is fragile: border officers in Indonesia, Thailand, and several Gulf states now ask remote-work questions on arrival, and deportations of professionals caught working on tourist stamps are well-documented. Penalties can exceed 5,000 euros and may include multi-year entry bans. If your stay has any economic activity attached to it, either use a business visa, a digital nomad visa, or confirm in writing that the country tolerates short remote work on a tourist entry.
Compliance rules follow your keyboard across borders, even when the border does not feel like one.
GDPR Follows You, Not Your Employer
The EU's General Data Protection Regulation applies whenever personal data is processed from within the EU/EEA — regardless of where the employer is headquartered. If you are a New Yorker working for a US company and you log into your CRM from a Lisbon apartment, your employer is now processing data subject to GDPR. That triggers obligations around lawful basis, security measures, transfer impact assessments, and — if anything goes wrong — potential fines up to four percent of annual global turnover. It is not your job to solve this, but it is your job to make sure your employer knows you are physically in the EU so they can implement the right safeguards. Working quietly from Berlin without telling HR can expose your company to liability you did not sign up to create.
The Schengen 90/180 Rule, Demystified
- Non-EU nationals can spend a maximum of 90 days in any 180-day rolling window inside the entire Schengen Area — not per country
- The clock rolls backward from any given day: count your Schengen days in the preceding 180 days, and the total cannot exceed 90
- Leaving Schengen for the UK, Ireland, or the Balkans resets nothing automatically; you still owe the balance when you return
- Overstaying by even a day can trigger entry bans of one to five years across all 29 Schengen countries
- A national long-stay visa or residence permit from one Schengen country lets you stay longer in that country but still limits you to 90/180 in the others
Disclose Before You Fly, Not After
The single most effective thing you can do to protect both yourself and your employer is to tell HR, in writing, where you plan to work and for how long — before you book flights. A short email saying "I'll be working from Barcelona from the 3rd to the 17th of June" gives your employer the chance to check permanent establishment risk, issue an A1 certificate, flag any PWD requirements, and confirm the data-protection setup. It also creates a paper trail that protects you if anything goes sideways. Many employment contracts now explicitly require this disclosure; failing to give it can be grounds for dismissal on its own, separate from any compliance fallout.
Risk Travels in Both Directions
People think of compliance as something the company worries about and the employee benefits from. Not here. If your unauthorised remote week triggers a tax filing in Austria or a PWD fine in Germany, the financial hit may land on your employer — but the employment consequences land on you. The reverse is also true: employers who ignore your disclosures owe you a duty of care under ISO 31030 and national law. Treat this as a two-way street.
Key Takeaway
The three compliance blindspots — Posted Workers Directive, work entitlement, and GDPR — catch remote workers who assume "nobody will know." Disclose your plans to HR in writing, verify your visa actually permits paid activity, and count your Schengen days. Protecting your employer is how you protect your job.
