Any controller and processor that processes personal data on a large scale or as a core activity must designate a Data Protection Officer, or DPO. The DPO works together with management and advises them with regards to privacy legislation. The DPO is a protected resource. Management cannot issue instructions to the DPO, nor can they penalize the DPO for performing its tasks. They must also choose the DPO based on merits and expert knowledge. The DPO also helps instruct and advise the employees of the company. It is also the natural point of contact for the authorities, as well as the public. If they have any requests, they are free to contact the DPO.