An EU official is managing an international cooperation project in collaboration with the European External Action Service (EEAS). The project involves processing personal data of citizens from third countries for foreign policy analysis purposes. According to the fundamental principles of the GDPR applicable to EU institutions and the nature of EEAS activities, which of the following statements correctly describes the 'limitation of purpose' principle in this context?