If those are to personal email addresses, they would be forbidden under GDPR (EU & UK) as not opt in and no right of deletion, ie misuse of personal data.
If they are coming to work (ie non-personal) email addresses then the employers could have some course of action, eg in the UK remove the implied right of access to email servers and then invoke the Computer Misuse Act for unauthorised use of those systems. I have eventually had some effects with variations of the second.
Their privacy policy is pretty well documented: https://www.ashbyhq.com/resources/privacy
Ashby is the tool the companies use to recruit. It doesn't sound like they directly collect recruit data from third parties. But it sounds like their customers may be doing so.
You can reach out to the company spamming you and they should have more data about where your information is coming from.