Your Employee’s Location Creates Your Compliance Obligations
When your engineer works from Lisbon, Portuguese labor law applies. Portuguese tax law applies. GDPR applies. Portuguese social security applies. The fact that your company is in Delaware and the employment contract says “governed by Delaware law” is irrelevant to the Portuguese tax authority.
In practice, teams apply this guidance faster when they pair it with the best EOR comparisons by country, remote roles in this market, and the Employer of Record glossary.
This is the foundational principle of international remote employment compliance: obligations attach to the employee’s location, not the employer’s. Every remote employee in a new country creates a web of potential compliance obligations. Most companies handle the employment piece through an EOR and assume the rest is covered. It’s not.
The compliance requirements for international remote teams fall into five categories, and only one of them (employment law) is what the EOR handles.
1. Permanent Establishment Risk
Permanent establishment (PE) is the risk that your company creates a taxable presence in another country through the activities of a remote employee. If a tax authority determines you have a PE, you owe corporate income tax on profits attributable to that PE — retroactively.
The OECD framework. Most countries base PE rules on the OECD Model Tax Convention, which defines PE through two main tests:
Fixed place of business PE. If your company has a fixed location through which it conducts business — an office, a branch, even a home office in some interpretations — a PE may exist. A remote employee working from their apartment generally doesn’t trigger this, unless the employer requires them to work from that location (creating a “fixed place at the employer’s disposal”).
Dependent agent PE. If a person in a country habitually exercises authority to conclude contracts on your behalf, or habitually plays the principal role leading to the conclusion of contracts, they create a dependent agent PE. This is the risk for sales roles. Your remote sales rep in Germany who meets clients, negotiates pricing, and effectively closes deals creates a PE — even if someone in headquarters clicks “approve” on the contract.
Country-specific PE risk levels:
| Country | PE Risk for Remote Workers | Key Concern |
|---|---|---|
| France | High | Aggressive agent PE interpretation. Sales reps trigger quickly. |
| Germany | High | Betriebsstätte rules extend to home offices in some cases. |
| India | High | Low thresholds, broad agent PE rules, aggressive enforcement. |
| UK | Moderate | HMRC focuses on trading activity, not just presence. |
| Australia | Moderate | Broad PE rules, but enforcement is resource-limited. |
| Singapore | Low–Moderate | Narrow PE definition, but MAS scrutinizes financial services. |
| US | Moderate (state-level) | No federal PE, but state nexus rules create tax obligations. |
Mitigation: Restrict remote employees from activities that trigger PE — no contract signing, no deal negotiation, no strategic decision-making on behalf of the company in-country. Document these restrictions. Use EOR for employment (which separates the employment relationship from your entity), but understand that EOR doesn’t prevent PE from the employee’s commercial activities.
2. Tax Nexus and Withholding Obligations
Separate from PE, having an employee in a country can create tax withholding and reporting obligations.
Payroll tax. If you employ someone in a country (even through EOR), payroll taxes must be withheld and remitted in that country. The EOR handles this. But if you also have direct payments to the employee (bonuses, equity, reimbursements) that bypass the EOR’s payroll, you may create parallel withholding obligations.
Corporate tax nexus (US state-level). In the US, each state has its own nexus rules. Having a remote employee in California, New York, or Texas can create corporate income tax, franchise tax, and sales tax obligations in that state. Some states assert nexus with a single employee. The Wayfair decision expanded economic nexus for sales tax, and states are applying similar logic to income tax.
Double taxation treaties. If PE is triggered, double taxation agreements (DTAs) between countries determine how profits are allocated and which country has primary taxing rights. Most DTAs follow the OECD model, but specifics vary. The DTA may not fully eliminate double taxation — it allocates primary and secondary taxing rights, and the mechanics of credits and exemptions create real complexity.
Employee tax residency. Your EOR employee is tax-resident where they live. But if they spend significant time in another country — your headquarters country, a client’s country, a “workcation” country — they may trigger tax obligations there too. The 183-day rule is a rough guide, but many countries use more nuanced tests.
3. Employment Law Jurisdiction
The employment law that governs your remote worker is the law of the country where they work. An EOR handles compliance with this law — that’s the core EOR value proposition.
But some employment law issues sit at the intersection of the EOR’s responsibility and yours:
Working time regulations. The EU Working Time Directive limits working weeks to 48 hours (averaged). France adds the “right to disconnect.” Germany’s Arbeitszeitgesetz restricts daily working hours to 10 hours. If your US-based manager expects your German remote employee to be available 12 hours a day, you’re violating German working time law — and the EOR contract won’t protect you from an employee complaint.
Health and safety. Many countries extend workplace health and safety obligations to home offices. Germany’s Arbeitsstättenverordnung covers home workstations. France requires employers to ensure ergonomic working conditions even for remote workers. The EOR may include basic guidance, but the practical responsibility to ensure your remote employee has a safe workspace falls on you.
Data protection in the employment context. Employee monitoring, email access policies, and productivity tracking are regulated differently by country. Germany’s Bundesdatenschutzgesetz (BDSG) and works council co-determination rights severely restrict employee monitoring. France limits employer surveillance. Installing monitoring software on your German EOR employee’s laptop without proper consent and works council approval violates German law.
4. Data Privacy (GDPR and Beyond)
Remote international teams create cross-border data flows that trigger privacy regulations.
GDPR for EU/EEA employees. If you have employees (including EOR employees) in the EU, GDPR governs their personal data. This includes:
- Lawful basis for processing. Employment data is typically processed under “legitimate interest” or “performance of a contract.” Consent is rarely the right basis for employment data (because the power imbalance between employer and employee makes consent non-voluntary).
- Cross-border transfers. If employee data flows from the EU to your US headquarters, you need transfer mechanisms: Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or reliance on an adequacy decision (the EU-US Data Privacy Framework, if still in effect).
- Data minimization. Collect only the personal data you need. Your US HR team doesn’t need your German employee’s religious affiliation (which is relevant for German tax purposes but shouldn’t flow to your US systems).
- Data breach notification. 72 hours to notify the relevant supervisory authority. If your employee’s data is breached (payroll records, health information, tax IDs), the clock starts immediately.
GDPR fines: Up to €20M or 4% of global annual turnover. These are theoretical maximums, but regulators have issued multi-million euro fines for employment data violations. The Austrian DPA fined a medical company for unlawful processing of employee health data. The French CNIL has fined companies for excessive employee monitoring.
Beyond GDPR:
- Brazil’s LGPD (Lei Geral de Proteção de Dados) mirrors GDPR for Brazilian employee data
- India’s DPDP Act (Digital Personal Data Protection Act, 2023) creates data processing obligations for Indian employee data
- Singapore’s PDPA covers employee personal data with some employment-specific exemptions
- US state privacy laws (California’s CCPA/CPRA, Virginia’s CDPA, Colorado’s CPA) increasingly cover employee data
5. Work-From-Anywhere Policies: The Compliance Framework
“Work from anywhere” sounds progressive until your employee works from a country that creates PE, triggers tax obligations, or violates immigration rules.
The compliance risks of unrestricted work-from-anywhere:
- Tax residency. Employee spends 4 months in Portugal → becomes Portuguese tax resident → owes Portuguese income tax → your EOR was only set up in the UK
- Immigration. Employee works from Thailand on a tourist visa → violating Thai immigration law → potential deportation and employer penalties
- PE creation. Employee works from Germany for 6 months → performs sales activities → triggers German PE → corporate tax liability
- Social security conflicts. Employee works in multiple EU countries → A1 certificate requirements → potential dual social security obligations
Building a compliant policy:
-
Define approved countries. Limit work-from-anywhere to countries where you already have employment coverage (through EOR or entity) or where the compliance risk is low for the employee’s role.
-
Set duration limits. Most compliance obligations trigger after extended stays (30–90 days depending on country and obligation type). Set a maximum of 30 days per country per year for “workcation” travel.
-
Require pre-approval. Employees must notify you (and your EOR) before working from a different country for more than X days. This gives you time to assess tax and PE implications.
-
Distinguish between relocation and travel. Working from a cafe in Barcelona for 2 weeks is travel. Moving to Barcelona permanently is relocation. The compliance obligations are fundamentally different, and your policy should distinguish between them.
-
Consider role-based restrictions. Sales roles that create PE risk may need stricter geographic restrictions than engineering roles. A remote engineer writing code in Lisbon is low risk. A remote sales director meeting Portuguese clients from Lisbon is high risk.
-
Track employee locations. Use self-reporting or location tracking tools. Deel and Remote offer policy management tools that track employee locations against your approved-country list.
Compliance Checklist for Remote International Teams
| Compliance Area | Responsibility | EOR Covers? |
|---|---|---|
| Employment contract compliance | EOR | Yes |
| Payroll tax withholding and filing | EOR | Yes |
| Social security enrollment | EOR | Yes |
| Statutory benefits | EOR | Yes |
| Permanent establishment assessment | Your company | No |
| Corporate tax nexus analysis | Your company | No |
| GDPR/data privacy compliance | Shared (EOR for HR data processing; you for cross-border transfers) | Partially |
| Employee monitoring compliance | Your company | No |
| Work-from-anywhere policy | Your company | No |
| Immigration/work permit compliance | Your company (EOR may assist) | Partially |
| IP assignment chain | Shared (EOR drafts contracts; you verify) | Partially |
When Not to Use This Approach
All your international employees are on a single EOR and none perform sales or client-facing activities. The EOR handles employment compliance. Your residual obligations — PE risk, GDPR data transfer mechanisms, work-from-anywhere policies — are real but lower in scope when the workforce is purely technical and remote. Focus your compliance investment on PE assessment and GDPR Article 28 agreements, not the full framework.
Your international team is all contractors, not employees. Contractor compliance is a different framework — primarily classification risk and payment compliance, not employment law jurisdiction or social security coordination. This guide doesn’t apply to contractor relationships.
All international employees are in countries where your company has established entities. Entity-based compliance (local HR, employment contracts from your entity, local payroll) is the relevant framework. The remote hiring compliance risks here — EOR-specific PE exposure, GDPR data processor agreements, work-from-anywhere policy design — are less directly applicable when you’re the direct employer.
You’re hiring a single employee in a country with low PE risk and straightforward employment law (e.g., UK or Canada). A full compliance audit isn’t necessary. Your EOR covers employment; a brief PE risk check with your tax advisor is sufficient. Reserve the full framework for complex multi-country setups or high-PE-risk markets.
Frequently Asked Questions
Does using an EOR eliminate my PE risk?
No. EOR separates the employment relationship (which sits with the EOR entity) from your company. But if the EOR employee performs activities that create PE — signing contracts, negotiating deals, making strategic decisions on your behalf — the PE risk is yours. EOR reduces employment compliance risk but doesn’t address commercial activity risk.
Can my remote employee work from a different country than where they’re employed through EOR?
Technically they can, but it creates compliance issues. If an EOR employee registered in the UK works from Spain for 4 months, Spanish tax and social security obligations may be triggered. The EOR was set up for UK employment. You’d need to either restrict the employee’s location or set up a separate EOR arrangement in Spain.
Do I need a data processing agreement with my EOR?
Yes, for EU employees. The EOR processes your employee’s personal data as a data processor. GDPR Article 28 requires a written data processing agreement specifying the scope, purpose, and duration of processing, as well as the technical and organizational security measures. Most EOR providers include a DPA in their service agreement. Read it.
What if my employee doesn’t tell me they’ve moved to another country?
This is more common than you think. An employee hired in the UK quietly relocates to Portugal. Payroll continues in the UK. Portuguese tax and social security go unfiled. When discovered — by either a tax authority or the employee filing a Portuguese tax return — the correction involves retroactive filings, penalties, and potentially switching the EOR arrangement to Portugal. Prevention: require location self-reporting in your employment policy.
To connect this guidance with live hiring demand, see hiring your first international employee and remote jobs by country.
Further Reading
- EOR Compliance Risks — Detailed compliance risk analysis
- How Does an EOR Work? — Understanding the EOR legal structure
- Contractor vs. Employee Classification — Classification compliance by country
- Hiring in Europe Guide — European compliance specifics
- 5 Ways to Hire Internationally — All hiring models compared
- Compare EOR providers
- Top EOR reviews
- Hiring your first international employee
Further Reading
- Top BPO Companies 2026: Business Process Outsourcing Providers Ranked
- Professional Employer Organization (PEO)
- Top HR Outsourcing Companies 2026: HRO Providers Ranked
- Top RPO Companies 2026: Recruitment Process Outsourcing Providers
- Contractor vs Employee: How Classification Works Across Countries
- How Much Does RPO Cost? Recruitment Process Outsourcing Pricing Guide
- How Much Does BPO Cost? Business Process Outsourcing Pricing Breakdown
- How Much Does HRO Cost? HR Outsourcing Pricing Breakdown
Was this page helpful?
Tell us or send a correction.