The European Commission states: “A controller determines the purposes, conditions and means of the processing of personal data. A processor processes personal data on behalf of the controller.”
Personally, I like the way the ICO put it when they said, the Data Controller is the person, or organisation, who “calls the shots”; i.e. the one who decides which Personal Data is collected and the purposes of the Processing.
The Data Processor is the person, or organisation, who Processes that data on behalf of the Data Controller. Typical examples of Data Processor services include, third party data storage, cloud service provider, data analytics, marketing etc.
Also both the Data Controller and Data Processor are liable to fines for non-compliance and claims for compensation from Data Subjects for Breaches of the GDPR.