An agent of the European Union Delegation in a third country is managing a digital cooperation mission. During an internal audit, it is detected that the communication system used by the mission transmitted personal data of EU citizens to a cloud server located outside the EU, without an adequate transfer mechanism. The agent argues that, given that the mission operates under the mandate of the European External Action Service (EEAS) and its objective is to promote human rights and sustainable development, the data protection principles of the General Data Protection Regulation (GDPR) do not apply in the same way as to EU institutions established in Brussels. Based on EU law and the mandate of the EEAS, what is the correct assessment of the situation and the applicable legal framework?