A European Commission staff member working in the Digital Security Unit is evaluating a new data exchange protocol with an external partner. The protocol involves the use of generative artificial intelligence tools to process confidential EU documents stored in a public cloud. The staff member must verify compliance with the General Data Protection Regulation (GDPR) and the EU’s Security Guidelines. According to the fundamental principles of the GDPR and the EU’s security policy on cloud data processing, which of the following statements correctly describes the critical requirement for this data exchange to be legitimate and secure?