Under the GDPR, both data controllers and data processors will be held responsible for the personal data they process. However, they do have some different obligations, so it is important to know which one you are. In short, the controller determines the purpose of the data processing while the processor is the one who actually processes the data. In case you missed it, we have an article dedicated to the obligations of both processors and controllers right here.
As for their responsibilities, the data processor for instance will decide how personal data is stored, the security measures to be used, the IT systems and other methods necessary to collect personal data. Processors will also decide how the data will be retrieved from individuals, how data can be disposed of or deleted and more. On the other hand, the controller will be responsible with collecting the data and the legal basis for doing so; the purpose for the using the data, about whom to collect the data, specifically which data to collect and more.