Michael Gesmann told me that our approach to only have usernames in audit logs is not sufficiant for GDPR law. So for legal reason we need to have a method to remove usernames from (and user ID?) from the audit logs on user request.
Michael also stated that this maybe only needs to be done when a customer asks for this.
Needs to be clarified with legal experts first!