Do I violate the EU GDPR when I host a static website on Google?

Question

To my knowledge IP addresses are considered personal data under the GDPR and thus may only be processed under one of several conditions (one being user consent). There has also been a verdict in a German court according to which embedding Google Fonts (loaded from Google servers) requires such consent, because the IP address is shared with Google. So website operators can either ask for consent or serve the fonts from their own server instead.

But, what if my entire site is hosted at Google? Obviously Google receives the visitors' IP addresses starting with the very first HTTP request and I get no chance to ask them for permission BEFORE that happens. There are plenty of hosting options inside the EU. Let us assume that my site is static and could be hosted on any one of them, so I can make no argument for choosing Google specifically.

• Am I even allowed to use Google for hosting my site?
• Does it make a difference whether I inform the visitor (after the processing of their IP has already happened)?
• IF it is OK, can I then use Google Fonts without consent, because Google has already seen the visitor's IP anyway?

Side note: These seem like really weird questions to ask, but after following some GDPR debates about Google Fonts and even basic things like HTTPd access logs, nothing seems quite certain anymore.

Answer 1

When you use other services, the question is whether that service acts as an independent data controller, or as a data processor who only uses the data on your behalf. When engaging a data processor they must be legally bound to only use the data on your behalf, for example with a contract / data processing agreement (DPA). See Art 28 GDPR.

Data processor status is attractive because processors are seen as an extension of the controller. In contrast, when sharing data with other controllers you would need a separate legal basis to authorize this sharing.

Google offers tons of different services, so this question needs to be considered on a case by case basis. For Google Cloud services or Google Workplace, Google generally acts as a data processor. For other services, Google acts as a controller. Notably, Google Fonts does not offer a DPA so that you cannot claim they're acting as a processor in that context, regardless of what other Google services you use.

An equally important problem when using Google services is the data transfer problem. Google is controlled from the US, but the US do not offer an adequate level of data protection (see the Schrems II judgement). Comparatively few Google services allow you to select where the servers are located, as to prevent transfers of personal data to countries where privacy cannot be guaranteed. For example, this is why Google Analytics (GA) is problematic. Google acts as a data processor for basic GA features but makes no promises about the location of servers. Thus, using GA implies a (probably) illegal transfer of personal data to the US.