GDPR applies even if you use pen and paper, you still need to ask for permissions. But in this case it was a dark pattern, Google had no choice then to ask for permission but made it hard to deny them.
The [...] you omitted is "and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." - if your company takes notes on your customers with pen and paper and puts these notes in a drawer for further use in your business processes, GDPR definitely does apply.
A random real example is that I used to work in a building which had a paper logbook where people sign the time and name when taking/returning keys for the meeting rooms. That logbook falls under GDPR as it has personally identifiable information - there's the legitimate need use case justifying it; but if the company suddenly wanted to use the stored data for some other purpose, that might be restricted.
GDPR is applied to personal data in general. It is "General Data Protection Regulation".
And it states in (15):
--- start quote ---
In order to prevent creating a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used. The protection of natural persons should apply to the processing of personal data by automated means, as well as to manual processing, if the personal data are contained or are intended to be contained in a filing system
--- end quote ---
And in Article 2, emphasis mine. It also lists what it doesn't apply to.
--- start quote ---
1. This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
2. This Regulation does not apply to the processing of personal data:
(a) in the course of an activity which falls outside the scope of Union law;
(b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
(c) by a natural person in the course of a purely personal or household activity;
(d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
--- end quote ---
And in Article 4. Definitions
--- start quote ---
(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
GDPR applies even if you use pen and paper, you still need to ask for permissions. But in this case it was a dark pattern, Google had no choice then to ask for permission but made it hard to deny them.