Privacy: can my employer access sensitive information if they pay my mobile subscription? I bought the hardware myself
They will most likely be able to see an itemised bill showing who you called and when. They will also be able to see mobile data usage.
If the phone is enrolled in the organisations mobile management system, they may be able to monitor and control app usage as well as monitor and control internet traffic.
UPDATE: In a worst case scenario they could potentially install full monitoring and install things like key loggers, this is very unlikely however. Additionally, depending on what part of the world you live in, there are restrictions on what they can legally collect, especially without consent.
The best thing to do is ask your company what you can and can’t use the phone for. If it is a large organisation they should have a security policy and an acceptable use policy.
My thoughts about having a company-managed phone or a company-paid contract, and your company Exchange. I include relevant information for iPhone devices (since the amount control varies across mobile platforms).
Phone
If you are using Exchange ActiveSync to access your company email/contact/calendar, note that ith ActiveSync, your company can:
- Configure a Mobile Phone for Synchronization
- Disable a Mobile Phone for Exchange ActiveSync
- Enable a Device for Exchange ActiveSync
- View a List of Devices for a User
- Configure Device Password Locking
- Recover a Device Password
- Perform a Remote Wipe on a Mobile Phone
- Install SSL Certificates on a Windows Mobile Phone
- Configure Mobile Phones to Synchronize with Exchange Server
Apple and Google also have similar centralised management options. There may be other 3rd party services or software that perform similar tasks.
If your phone has been set up with Google G Suite, your company can:
- Automatically synchronize email, calendars, and contacts with users’ devices.
- Turn on or off features, such as lock screen widgets, Siri, My Photo Stream, Handoff, and iCloud Photo Sharing.
- Protect your organization’s managed data by controlling which apps can be used to open documents and attachments.
- Control Apple® iCloud® backup and sync, and turn on backup encryption. Apply device-management controls, such as account wipe, encryption, and screen lock.
- Keep work data secure with G Suite apps, such as Gmail, Google Drive, and Calendar. For details, see Get mobile apps for iOS devices.
If your company was using Apple Device Enrolment, they can access, amongst other things:
- Global network proxy for HTTP
- Allow iMessage, Game Center, iBooks Store, AirDrop, Find My Friends
- Allow removal of apps
- Allow user-generated content in Siri
- Allow manual installation of configuration files
- Allow configuring restrictions
- Allow pairing to computers for content sync
- Allow account modification
- Allow cellular data settings modification
- Allow Erase All Content and Settings
- Restrict AirPlay connections with whitelist and optional connection passcodes
- Enable Siri Profanity Filter
- Single App Mode
- Accessibility settings
Note that a remote backup includes a lot of your phone information (installed apps, etc). I'm almost certain your company could access this information if they wanted to.
Contract
This depends on whether your employer simply pays for your contract or they are the contract owners and therefore have access to the mobile operator online tools.
If they own the contract, they can definitely access the detailed list of phone calls (including numbers, time and duration). They may also be able to access your Internet data pattern usage (which may reveal some of your habits).
I know of no provider (Europe / Spain) that allows customers to access a detailed list of websites visited, or IPs accessed, but I might be wrong here. I doubt this since it would require your phone provider to do deep packet inspection and maintain quite expensive log and data mining facilities... it is definitely doable but I never heard of this.
General info
Anyone using their phone to access their company resources (even simply checking mail via POP3/IMAP) is usually revealing their approximate geographic position to their company in a periodic fashion.
If you use your company proxy or VPN to access any of their resources, note that your Internet traffic or browser behavior may be being forwarded through your company servers, which would allow them to track which sites you visit (and the content if those sites don't use HTTPS).
If your company has installed custom certificates on your phone, they could potentially also view any HTTPS traffic if you are using their proxy.
TL;DR
In summary, I'd recommend you to:
- Find out if your phone has been enrolled to a remote management system.
- Check what kind of information your phone company provides to their (business) customers about their contracts.
- Check if your company has installed any extra software, proxy/vpn settings or certificates on your phone (in case you handed your phone to them at any time OR allowed them remote administration).
In addition to the other points that have been made, many websites use an SMS message to your mobile phone as a form of two-factor authentication, even though the best practice nowadays is not to do that. So they could at any time divert messages to your number to themselves, and use that to take over your Internet accounts, even accounts that you never use with the phone.