Can Moodle be GDPR compliant when a user record isn't actually deleted from Moodle's database, when you delete an account via the Data Requests page? Only a flag is set to mark the account as deleted.
Moodle versions that support GDPR/deletion requests do more than set a flag when a user requests deletion (assuming you run cron so that the deletion task is able to run on the user). There is some data retained, but this is kept for reasons such as auditing purposes (which is allowed under GDPR), for example as evidence that the user has in fact been deleted.
The deeper explanations of what/why data is retained are fairly lengthy (and may depend on which Moodle version you are using). If you have a look at one of my earlier forum replies to a similar question, I've linked to some resources that dive into this and can hopefully help clarify in more detail.
Thank you very much, it sure is complicated! And good to know that there is no problem here.