The control framework that a supervised contributor is required to have in place pursuant to Article 16(1) of Regulation (EU) 2016/1011 shall include the establishment and maintenance of at least the following controls:
an effective oversight mechanism for overseeing the process for contributing input data that includes a risk management system, the identification of senior personnel who are responsible for the data contribution process and the involvement of any compliance and internal audit functions within the contributor's organisation;
a policy on whistle-blowing, including appropriate safeguards for whistle-blowers;
a procedure for detecting and managing breaches of Regulation (EU) 2016/1011 and breaches of the applicable code of conduct developed under Article 15 of that Regulation, including a procedure for investigating any detected breach and recording the actions taken as a consequence;
periodic reviews of the process for contributing data, to be conducted at least annually and whenever there is a change in the applicable code of conduct.