Liability rests with the Controller for damage caused by processing which infringes GDPR. The Processor is only liable where they have not complied with specific processors obligations under GDPR or have acted outside or contrary to instructions of the Controller.