Both are fine with GDPR as long as you disclose them somewhere. That can of course be a problem if you have insufficient technical knowledge.
Does WordPress come with a page disclosing this by default?
Of course, the server access log is not really their business, just the opt-in email. So I guess the webhoster needs to educate its customers if they store server logs?
This can all get kind of complicated if you don't know what you are doing.
