A member of the European Commission's digital unit is drafting a new policy on data protection in the context of cloud computing services. They need to ensure the policy aligns with the core principles of the General Data Protection Regulation (GDPR) regarding how personal data is handled by service providers. Which of the following actions best reflects a fundamental GDPR principle for a public body selecting a cloud provider?