Questions for GDPR

"I'm wondering if you could help me out with a couple of questions related to GDPR and controllers?

Our company has clients who have personal data that our system collects from their employees and visitors to their premises. The clients have access to the data that our system collects. We (the company) determine the why and how data is collected, however the clients can see the data and even create reports from the personal data. Is this considered a controller to controller relationship, or would it be a controller to processor relationship? (i.e. is the client a controller because they are collecting personal data from employees and visitors?)

I assume that your system provides a service to your clients and while providing the service processes personal data of employees and visitors (i.e., an access control software installed on premises). If this is the case, you are the data processor because you are providing the means for the data controller (your client) to process personal data of the employees and visitors for its own purposes (in our example, of access control software to guarantee safety).
In fact, Article 28 GDPR states that the data processor is who processes personal data on behalf of the data controller. 

A second question we have is related to standard contractual clauses. Personal data that our clients collect is transferred to our servers located in Canada. Are SCCs required for the transfer of personal data from the EU/EEA to us for processing?"

If your organization falls in the scope of The Canadian Personal Information Protection and Electronic Documents Act ("the Canadian Act") (and further emendments) you can benefit of the adequacy decision of the European Commission (https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002) and you can proceed with data transfer according the Article 45 GDPR without implementing the Standard Contractual Clauses. 
Here you can find the list of countries with adequacy decision: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en 

Here you can find more information about the difference between controller and processor and about the data transfer:
EU GDPR controller vs. processor – What are the differences? https://advisera.com/eugdpracademy/knowledgebase/eu-gdpr-controller-vs-processor-what-are-the-differences/
3 steps for data transfers according to GDPR https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/

If you need to understand how to implement EU GDPR compliance, you may consider enrolling in our EU GDPR Foundations Course: https://advisera.com/training/eu-gdpr-foundations-course/