UK is kind of special. On paper, yes, there’s GDPR. In fact the most annoying people on this planet are UK recruiters using American data mining services. To the point where I have now a mental block for UK country code on business matters. Would I trust my data to an UK business? I‘m not sure.
It's exactly the same GDPR that every country in the EU has. That recruitment practice sounds like it could be a breach, I would go ahead and submit a SAR just to put the frighteners on them to be honest.
