A staff member of the EU Delegation in a third country manages a sustainable development project that involves the exchange of sensitive personal data with local partners. The project uses an AI generative tool to analyze reports and draft drafts, and it is planned to store the data in a public cloud server of a third-party provider (outside the EU). In the context of the EU's digital governance, which of the following statements best describes the correct approach to ensure compliance with data protection regulations (GDPR) and information security, considering the EU institutions' cybersecurity guidelines and the external action framework?