Guidelines 07/2020 on the concepts of controller and processor in the GDPR
Section 1.5 Processor determining purposes and means of processing
146. If the processor infringes the Regulation by determining the purposes and means of processing, it shall be considered as a controller in respect of that processing (Article 28 (10) GDPR).