Hey!
How does XenForo as a software handle the new GDPR ?
IMHO quite well, although not 100% (there probably doesn't exist any website in the world that is 100% compliant).
The biggest part on your site is to setup your privacy policy as needed.
This can't be done by XenForo out-of-the-box as it depends on how you setu your site, whihc services your ue, customizations, style, etc.
Can users delete their accounts?
By themselves? No. That isn't necessary at all anyway.
What happens after the deletion with the data?
This depends on how you setup your installation and which kind of data the deleted user has in the DB.
If the deleted user was not a moderator, an admin, a user who generated server errors, a user who generated email bounces or a user who was detected as a spammer, die not cause failed logins during the last 24 hours, was not active on your website during the last 4 hours (default) and you are only using stock XenForo there will be no data left.
In other cases some data might still be in the DB after deletion and will be clean up after ome time (how much depends on your settings).
Can you just "deactivate" the account?
You, eg. the admin can do that but that doesn't fulfill a deletion request.