Put simply a Controller is an organisation that decides why and how personal data is obtained and processed.
A Processor, however is responsible for processing the data on behalf of the Controller. The Processor can also be a Controller in relation to processing its own employees' data. The GDPR legislation does infact place obligations on both to maintain accurate records of personal data processing and to prevent data breaches.
It is worth noting a Processor can have legal liability for data breaches for which it is responsible.