A classic case of “double dipping”. If you have evidence that your vehicle could not have been at the location for the full period of alleged parking, you could make a claim against them because they lacked the “reasonable cause” to obtain your data and so have breached the Data Protection Act 2018 (DPA) and UK GDPR 2018 as well as the DVLA KADOE rules and the BPA's operational guidance.
Their error is a known flaw of ANPR, in that they are required to do human checks before purchasing DVLA personal data.
It is their duty to prove that you parked for a single period of parking and breached a term. You didn't. If they had carried out the required due diligence of a human checking of the ANPR data, they would not have been relying on automated decision-making, would have spotted the 'orphan images' and would never had cause to issue a PCN at all.
Article 12 of the UK GDPR legally requires data controllers to store and process personal data accurately: clearly, any data controller issuing an invoice to you because it has wrongly recorded that you parked in breach of the alleged contract between you and the landowner (or, as in this case, an agent of the landowner) is processing your personal data unlawfully.
The precedents for claiming damages and compensation for such unlawful processing are the decisions of the Court of Appeal in
Zeta Jones & Douglas v Hello! Magazine [2003] EWHC 786 and
Halliday v Creation Consumer Finance Ltd (CCF) [2013] EWCA Civ 333, both being binding on all County Courts in England and Wales. In the latter claim, Mr Halliday was awarded compensation of £750 at what the Court regarded was the lowest level of award, and although this was a claim under Section 13 of the Data Protection Act 1998, similar provisions - amended to take account of a decision by the EU Grand Chamber that the 1998 Act did not properly implement EU law into UK domestic legislation - replaced the old Section 13 provisions with Article 12 of the UK GDPR and Section 168 of the Data Protection Act 2018.
In short, you ought to give 21 days notice (the pre-action protocol only really requires 14 days but hey, you can be charitable!) to the data controller of your intention to seek (say) £250 nominal damages and compensation under Article 12 of the UK GDPR and Section 168 of the Data Protection Act 2018 for their unlawful processing of your personal data: you could say that you will not file your claim with the County Court if they confirm in writing that all references to this alleged debt have been deleted within (say) 14 days. Clearly mark your letter as a "Letter before County Court proceedings".
Anyone who is fairly confident can claim as a litigant-in-person in Part 27 proceedings in the County Court (commonly but wrongly described as "the Small Claims Court"). Each party is responsible for their own legal costs whether they win or lose and the claim for £250 can be issued online for a fee of £35 at
moneyclaimonline.gov.uk which also gives useful advice if you want to have a look at what is involved. Your claim will automatically be listed as being for a total of £285, i.e. the successful party gets their Court fees back.
