A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).
While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on