In principle, the employer's sphere of influence is limited to employees' official conduct. So what you do privately remains your business, as long as you do not harm the employer.
In the context of a phishing simulation, access to the published personal information is nevertheless permitted. On the one hand, this is due to the exclusive focus on social media used for professional purposes, and on the other hand, it is due to the visibility settings you have chosen yourself.
Thus, if you post information on a professional social network "visible to everyone" or "visible to all members", your employer can also view this information as long as he can declare a legitimate interest in the data processing.
Since the employer has a legitimate interest in protecting the company, there is a legal basis for data processing in this particular case (according to Art. 6(1)(f) DSGVO ). Thus, your employer may process the self-published information from professionally used social networks accordingly.
However, we at IT-Seal are aware of the implications that such a measure can have. Therefore, we act as an intermediary - your company and your boss will not learn any detailed information about your profile. All information will remain with us and will be deleted once processing is complete. An assessment of the risk to the company only takes place anonymously.
So you have nothing to fear, while your boss learns how vulnerable his organisation is and whether he should take further measures to secure it.