Mobile phones at end of lease: destroy or refurbish?
Every two years many companies see a truckload of smartphones slide out of the lease cycle. Devices that were used for business email, cloud storage, VPN tokens, customer data and sometimes medical or financial apps. The leasing company wants them back, refurbishers want to buy them, but the CISO wonders what happens to all the data that landed on those handsets over three years. The tension between economic residual value and GDPR compliance is greater for mobile phones than anywhere else.
This article sets out where the risks lie, how to decide between refurbish and destroy, and when physical destruction is the only safe option.
Why smartphones are a category of their own
A business smartphone contains more personal data than an average office laptop. Think of:
- Full email history with attachments
- Contacts including private numbers
- WhatsApp and Signal conversations
- Cloud photos with location data
- VPN configurations and tokens
- Authenticator apps with 2FA keys
- Health apps and fitness tracking
- Business apps like CRM, Microsoft Teams, Slack, DocuSign
On loss or poor disposal the consequences are therefore large. A refurbished device with readable data can cause a data breach of significant scale.
What can secure erase do on iOS and Android?
iPhone and iPad
Apple uses hardware encryption with a Secure Enclave. The "Erase all content and settings" function throws away the encryption key, making all data cryptographically unreadable. In theory safe, provided that:
- The device runs a current iOS version with no known key-extraction vulnerabilities
- The Apple ID is signed out before you wipe
- Find My iPhone is disabled (otherwise Activation Lock leaves the device unusable for the refurbisher)
- No jailbreak is present
Android
Android is more complex. Manufacturers (Samsung, Google, Oppo, Xiaomi, etc.) implement encryption and factory reset in their own ways. Since Android 6 File-Based Encryption has been standard, but older devices and cheaper models do not always have full hardware encryption. A factory reset appears to wipe everything, but forensic research has repeatedly shown that parts of user data remain recoverable on devices with unencrypted eMMC.
For Samsung Knox and Google Pixel a factory reset is plenty for models from 2020 onwards. For older and lower-segment devices, doubt is warranted.
A factory reset on a Pixel 8 is cryptographically reliable. A factory reset on a Moto E from 2019 is not. Know what you are holding before you hand it on.
The decision tree
- Is the device protected by full hardware encryption and a current OS version?
Yes: factory reset and remote wipe via MDM usually suffice for refurbish.
No: go to step 2. - Has medical, financial or other special-category data been processed?
Yes: destroy physically.
No: go to step 3. - Is the device older than 4 years or no longer supported by the manufacturer?
Yes: destroy physically (firmware vulnerabilities are no longer patched).
No: go to step 4. - Do you have Mobile Device Management (MDM) and logging of the wipe?
Yes: refurbish is acceptable.
No: destroy physically or use a professional wipe service with certificate.
Lease contract: who is responsible?
A common misconception is that the leasing company is responsible for data destruction on return. From a GDPR perspective the controller is the supplier, in other words you as the company. Once the device leaves your premises with readable data on it, you bear any leak. Leasing companies often offer a wipe service, but without audit rights and a certificate you are blindly trusting their work. Arrange it in advance in the contract: who wipes, when, with which tool, and with which certificate.
The role of MDM
A properly configured Mobile Device Management solution (Microsoft Intune, VMware Workspace ONE, Google Workspace, Apple Business Manager) is crucial. Before a device is handed back:
- MDM triggers a remote wipe and logs the result
- The Apple ID or Google account is disconnected
- Activation Lock is turned off
- The device is marked as "out of service" in the asset register
Without MDM, consistent handling is virtually impossible. Small organisations with a handful of devices can do it manually, provided each step is logged.
Stockpile of lease-return phones?
We shred smartphones to DIN 66399 E-4 or higher at your site. Device by device, with certificate. Also for tablets, smartwatches and powerbanks with memory.
Request a quoteWhat does the standard say?
DIN 66399 treats mobile phones as electronic media. Classification:
- E-4: minimum for regular personal data. Device reduced to particles of at most 30 mm².
- E-5: for special categories and financial. Often required by banks, healthcare providers and law firms.
See also our article on SSD destruction for a deeper explanation of why wiping flash memory is unreliable. Phones run on the same NAND technology and suffer from the same limitations.
Refurbishers and data covenants
A serious refurbisher works under the rules of WEEELABEX or comparable standards and has a certified data wipe procedure. If you decide to refurbish, require:
- Signed processor agreement (GDPR art. 28)
- Wipe certificate per IMEI
- Audit right
- Recorded chain: who took over, when, where stored
None of the above? Physical destruction is the GDPR-safe route.
Batteries and WEEE
On physical destruction, lithium-ion batteries must be taken into account. A professional destruction service either separates the battery first or uses equipment that safely works with installed batteries. Drilling through one yourself or throwing it in an office shredder creates a fire risk.
Electronic waste after destruction goes to a WEEELABEX-certified processor for metal recovery. Request evidence of this if you operate ISO 14001 or run ESG reporting.
Questions about your return flow? Call us or request a quote via desnipperaar.nl. We advise free of charge on the choice between refurbish and shredder, processor agreement and logging.