Are we a controller or processor?

Every organisation which has employees, is a controller to their employees. The factor which determines that the organisation is controller is that it decides on the purpose for employment, and why/how this is done. However, a controller to their employees, can be a processor to their customers, e.g. take a cloud service which your business maybe using, such as Dropbox, Office365, etc., which your employees use to be productive. This cloud service provider is a processor to your organisation, but that does not stop them being a controller to their own employees. In this example they are both controller (to their employees) and processor (to their customers). 

All public authorities are controllers to their citizens, and every citizen cannot avoid using public services. The hospitals are controllers to our health data and and schools to children's data. 

Every controller is also a processor, after all it is impossible to collect personal data without using that data one way or another, even if the controller engages a processor to collect the data, or to process the data, e.g. call-centres. The reason being is that it is the controller which decides that personal data must be collected and why. The processor must do exactly what the controller says and this is done using a legal document called a Data Processing Agreements (DPAs).
Liability is why a Data Processing Agreement (DPA) is implemented between the controller and the processor.