An EU delegation official in a third country must urgently transfer a set of confidential EU data containing personal information of EU citizens for processing in a cloud computing environment provided by a third-party Cloud Service Provider located in a country that does not have an EU Commission adequacy decision. The official is evaluating the viability of this transfer under the General Data Protection Regulation (GDPR) and the European Data Protection Board (EDPB) guidelines. Which of the following measures is the only one that allows for a legal transfer of personal data to a country without an adequacy decision, assuming the cloud provider cannot independently meet EU protection standards?