Schedule 1 of the Data Protection Act 1998 sets out the principles (rules) under which the Act operates to protect individuals. Part 1 para 5 and para 6 are the ones you should use with regards to parking companies misusing your personal information.
If you were not the driver and the parking company is not using Keeper Liability then Schedule 2 para 2 (a) is relevant as a non-driving keeper is not party to the contract
Part I The Principles
1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless--
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Conditions relevant for purposes of the first principle: processing of any personal data
1 The data subject has given his consent to the processing.
2 The processing is necessary--
(a) for the performance of a contract to which the data subject is a party, or
(b) for the taking of steps at the request of the data subject with a view to entering into a contract.
3 The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
4 The processing is necessary in order to protect the vital interests of the data subject.
5 The processing is necessary--
(a) for the administration of justice,
(b) for the exercise of any functions conferred on any person by or under any enactment,
(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or
(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.
6 (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
(2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied