The regulations oblige the controller to report breaches. If the breach is suffered by the processor, the processor must immediately inform the controller so that it can fulfil its obligations. Where appropriate, this includes reporting the breach to the APDCAT.
A processor may also report a breach on behalf of the controller, and even notify the data subjects, if this is part of the contractual agreement. However, the legal responsibility for reporting breaches and notifying the data subjects always lies with the controller.