As a digital security advisor for an EU delegation abroad, you must evaluate the security posture of a new cloud collaboration tool that the EU uses to share sensitive data of EU citizens with international partners. According to the principles of the General Data Protection Regulation (GDPR) and the EU's security guidelines, which of the following measures is a fundamental requirement that must be verified before approving the deployment of this tool, ensuring data protection even in case of a security breach or unauthorized access? option_A: Implement a system of end-to-end encryption that protects the confidentiality and integrity of the data, ensuring that only authorized parties can access them, regardless of the physical location of the servers. option_B: Conduct a security compliance audit only at the end of a 3-year contract to verify that the data have not been compromised. option_C: Ensure that the cloud provider has its physical headquarters in an EU country to automatically comply with data sovereignty without the need for additional technical measures. option_D: Guarantee that the cloud provider has signed service level agreements (SLA) that promise 99.9% availability for continuous access to the data. option_E: Remove metadata from documents before uploading them to the cloud to ensure that they cannot be traced back to the sources of the sensitive data. Explanation: 1) **Why option A is correct**: Option A is correct because **end-to-end encryption** is a fundamental technical measure to ensure the **confidentiality and integrity** of personal data, as required by the GDPR (General Data Protection Regulation). Even if the data are stored in the cloud or shared with international third parties, encryption ensures that the data remain unreadable to unauthorized persons, protecting the rights of EU citizens. The GDPR emphasizes 'data protection by design and by default', where encryption is one of the most effective security measures recommended by the EU's data protection authorities. 2) **Why the other options are incorrect**: - **Option B (SLA availability)**: This is a **confusion of metrics trap**. While availability (99.9%) is important for service continuity, it does not guarantee **security** or **data protection** itself. A system can be always available but completely compromised if there is no encryption. - **Option C (HQ in the EU)**: This is a **generalization trap**. While the GDPR regulates data transfers outside the EU, it does not strictly prohibit servers being outside the EU if there are adequate protection mechanisms (such as Standard Contractual Clauses and technical measures like encryption). Physical location alone is not sufficient without additional technical measures. - **Option D (Annual audit)**: This is a **timing trap**. Data security should be proactive and continuous, not reactive. Waiting 3 years for an audit violates the 'privacy by design' principle and leaves data exposed for the entire period. - **Option E (Remove metadata)**: This is a **partial solution trap**. Removing metadata is a good practice of anonymization in certain contexts, but it does not replace the need to encrypt sensitive data content. Additionally, in some official collaboration cases, metadata may be necessary for activity logging, and their complete removal could prevent compliance audits. 3) **Quick tip**: In the exam, always look for the option that prioritizes **technical protection** (encryption, anonymization, restricted access) over **geographical location** or **generic service agreements**.