Is it true that under the GDPR, controllers must always contact the supervisory authority following a DPIA?

Under the General Data Protection Regulation (GDPR), it is not a requirement for controllers to always contact the supervisory authority after conducting a Data Protection Impact Assessment (DPIA). A DPIA is a process to help identify and minimize data protection risks of a project. While the GDPR stipulates that in certain situations involving high risks to individuals' rights and freedoms, a controller must consult with the supervisory authority before proceeding with the data processing activities, this is not an automatic requirement following every DPIA.

Controllers are only obligated to inform the supervisory authority if the DPIA indicates that the processing would result in a high risk if mitigations are not performed. Therefore, the idea that there is a blanket requirement to contact the supervisory authority after every DPIA is incorrect. This understanding is crucial as it differentiates between the standard practice of assessing data protection impacts and the specific requirements for high-risk situations necessitating further consultation.