Since the IT guy was mentioned: it also depends on what device you were using to access those sites. If it is something managed by your company (there are various ways to do that - domain membership, MDM, mobile iron or similar for phones, etc), IT/the company can have access to virtually anything - whatever you type, send or receive. VPN/HTTPS are not a factor anymore since they can either collect the data on your device after decryption, or use other means to decrypt the traffic without causing warnings. Depending on where you live/work the expectations to disclose any of those to employees may vary from fairly rigid to none. At all places where I have worked looking at someone's data for no reason, or discussing what that data is in public would have been a huge problem for whoever did it. I have been lucky with where I have worked though, and I can imagine that things are not so nice at other places.