yes, you are right. This would be the easiest way. But I'm not very happy with this, because every year 10,000 students are leaving our university and all would produce empty entries. I'm not very familiar with databases. Will we run into performance problems, if there are so many new entries every year?
It's more of a function of how many tickets they generate, not how many users (the user table is tiny compared to the ticket transactions, and judicious addition of indexes for commonly used tables like "users" will help a lot). Overall performance will depend on how well your database servers are configured. If you want to be totally safe, make sure that the database server is not on the same host as the OTRS server, and that it is clustered (even if you start with only one database server; if you configure it that way, you can horizontally scale it if you need to w/o taking an outage). Cluster and/or replication for both MySQL/MariaDB and Postgres are very stable, and not terribly hard to configure.
If you need to comply with a data privacy act, why not simply blank the fields with personal data but leave the record itself in place? [snip] If you blank or NULL the respective fields there would be no personal data left and legal aspects would be o.k.
Blanking would work too. I like to replace it with Deleted User